[issue39401] Unsafe dll loading in getpathp.c on Win7

[STINNER Victor]

Change by STINNER Victor :


--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Eryk Sun]

Eryk Sun  added the comment:

> For clarity, I'm removing 3.9 from the affected versions. This version 
> does not support Windows 7, and only Windows 7 is vulnerable to this
> DLL hijack.

I added 3.9 for the related issue to switch to using a static import, since 
Windows 7 isn't supported in 3.9. But I guess that should have been made a 
separate issue, or added to the omnibus issue bpo-32592.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Steve Dower]

Steve Dower  added the comment:

For clarity, I'm removing 3.9 from the affected versions. This version does not 
support Windows 7, and only Windows 7 is vulnerable to this DLL hijack.

Also submitting the CVE request.

--
versions:  -Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Steve Dower]

Change by Steve Dower :


--
pull_requests: +17614
pull_request: https://github.com/python/cpython/pull/18234

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Steve Dower]

Change by Steve Dower :


--
pull_requests: +17613
pull_request: https://github.com/python/cpython/pull/18233

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Steve Dower]

Change by Steve Dower :


--
pull_requests: +17612
pull_request: https://github.com/python/cpython/pull/18232

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Steve Dower]

Change by Steve Dower :


--
keywords: +patch
pull_requests: +17611
stage: needs patch -> patch review
pull_request: https://github.com/python/cpython/pull/18231

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Steve Dower]

Change by Steve Dower :


--
assignee:  -> steve.dower

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Ned Deily]

Change by Ned Deily :


--
nosy: +ned.deily

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Ned Deily]

Change by Ned Deily :


--
priority: normal -> deferred blocker

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Steve Dower]

Steve Dower  added the comment:

Agreed, we can just search System32 for this. Thanks for doing the patch!

For future reference, and for anyone else reading this, we generally prefer 
unavoidable DLL hijacking bugs to come to the Python Security Response Team 
first (secur...@python.org).

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Eryk Sun]

Eryk Sun  added the comment:

> On Win7, running Python in the terminal will attempt to load the 
> "api-ms-win-core-path-l1-1-0.dll" from various paths outside of the 
> Python directory and the C:\Windows\System32 directories.

"api-ms-win-core-path-l1-1-0.dll" is not assigned in the API set schema (in 
ApiSetSchema.dll) in Windows 7. Since the name is neither in the list of known 
DLLs nor the list of assigned API sets, the loader searches for it in the 
normal way. (FYI, the number of API sets increased from 35 in Windows 7 up to 
502 in Windows 8.1.)

> I'm working on a fix to pass the LOAD_LIBRARY_SEARCH_DEFAULT_DIRS

I think this could use just LOAD_LIBRARY_SEARCH_SYSTEM32. I see no reason to 
try to load "api-ms-win-core-path-l1-1-0.dll" from the application directory or 
user directories.

I'm adding 3.6-3.9 to the list of affected versions. In 3.9 it can use a static 
import instead (i.e. remove LoadLibraryaExW / GetProcAddress), since only 
Windows 8.1+ is supported.

--
components: +Windows
nosy: +eryksun, paul.moore, steve.dower, tim.golden, zach.ware
stage:  -> needs patch
type:  -> security
versions: +Python 3.6, Python 3.7, Python 3.8, Python 3.9

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue39401] Unsafe dll loading in getpathp.c on Win7

[Anthony Wee]

New submission from Anthony Wee :

On Win7, running Python in the terminal will attempt to load the 
"api-ms-win-core-path-l1-1-0.dll" from various paths outside of the Python 
directory and the C:\Windows\System32 directories. This behavior can be 
verified using Process Monitor (see attachment).

This is happening due to direct calls to LoadLibraryW() in getpathp.c without 
any "LOAD_LIBRARY_SEARCH*" flags.

In join():

https://github.com/python/cpython/blob/c02b41b1fb115c87693530ea6a480b2e15460424/PC/getpathp.c#L255

and canonicalize():

https://github.com/python/cpython/blob/c02b41b1fb115c87693530ea6a480b2e15460424/PC/getpathp.c#L291

For both cases, the methods they are trying to load from 
api-ms-win-core-path-l1-1-0.dll (PathCchCanonicalizeEx and PathCchCombineEx) 
were introduced in Win8. 

I tested on Win7 and Win10 and they differ in how they load these api-ms-win-* 
dll's and whether they appear in process monitor. In Win7, a CreateFile event 
appears in procmon, while in Win10 it seems like the OS is automatically 
loading the module from kernelbase.dll. Also in Win7 the loading of 
api-ms-win-core-path-l1-1-0.dll will fail while in Win10 it succeeds. However, 
in Win7 when it fails it results in the standard dll search strategy, which 
will eventually search outside of the secure directories such as the 
directories in the PATH env var: 
https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order

Each of the problematic methods in cpython have a pattern of attempting to load 
the dll, then falling back to an older version of the method. Thus in Win7, the 
dll fails to load and it falls back to the older version of the method. In 
Win10, the dll load succeeds and we use the new versions of the methods.

I'm working on a fix to pass the LOAD_LIBRARY_SEARCH_DEFAULT_DIRS flag to limit 
to the dll search path scope.

--
files: python unsafe dll loading.png
messages: 360348
nosy: anthonywee
priority: normal
severity: normal
status: open
title: Unsafe dll loading in getpathp.c on Win7
Added file: https://bugs.python.org/file48855/python unsafe dll loading.png

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com