classification
Title: The security descriptors of python binaries in Windows are not strict enough
Type: security Stage: test needed
Components: Windows Versions: Python 2.6
process
Status: closed Resolution: rejected
Dependencies: Superseder: Win32: Security problem with default installation directory
View: 1284316
Assigned To: Nosy List: brian.curtin, ezio.melotti, flox, kindloaf, r.david.murray
Priority: normal Keywords:

Created on 2009-04-20 16:42 by kindloaf, last changed 2010-03-03 04:42 by kindloaf. This issue is now closed.

Messages (7)
msg86201 - (view) Author: Hong Chen (kindloaf) Date: 2009-04-20 16:42
The security descriptors of python binaries (like python.exe,
pythonw.exe, etc) allow any Authenticated Users to modify these
binaries.  This may cause a privilege-escalation problem since
administrators may use python binaries when performing administrative
tasks.  A normal unprivileged user may turn a python binary into a
trojan and acquire administrator's sids.

Test environment: windows vista, python 2.6
msg99038 - (view) Author: Hong Chen (kindloaf) Date: 2010-02-08 06:31
Thanks for the reply.  I can log in as a non-admin user and replace
python.exe with another binary.  Does that serve as an attack example?

Hong

On Sun, Feb 7, 2010 at 7:14 PM, Brian Curtin <report@bugs.python.org> wrote:
>
> Changes by Brian Curtin <curtin@acm.org>:
>
>
> ----------
> stage:  -> test needed
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue5802>
> _______________________________________
>
msg99047 - (view) Author: Brian Curtin (brian.curtin) * (Python committer) Date: 2010-02-08 15:23
Is the situation any different if you install Python to "C:\Program Files"? This seems to be at least part of the reason IronPython installs to "C:\Program Files", which was discussed on the IronPython list [1] a few months ago.


[1] http://lists.ironpython.com/pipermail/users-ironpython.com/2009-October/011345.html
msg100219 - (view) Author: Hong Chen (kindloaf) Date: 2010-02-28 20:07
Sorry for the delay, it's been a busy month.

I just tried python 3.1  If installed under c:\program files, the
access control list would be correct, only system & administrator
accounts get the modify privilege.

The default installation is to c:\python31, in which the access
control list has the issue that unprivileged users can modify it.

I guess a possible remedy to this is that after installation, the
setup program can just remove "authenticated users" from the access
control list, or at least remove the "modify" privilege from the
corresponding entry.

Thanks,
Hong

On Mon, Feb 8, 2010 at 7:23 AM, Brian Curtin <report@bugs.python.org> wrote:
>
> Brian Curtin <curtin@acm.org> added the comment:
>
> Is the situation any different if you install Python to "C:\Program Files"? This seems to be at least part of the reason IronPython installs to "C:\Program Files", which was discussed on the IronPython list [1] a few months ago.
>
>
> [1] http://lists.ironpython.com/pipermail/users-ironpython.com/2009-October/011345.html
>
> ----------
> nosy: +brian.curtin
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue5802>
> _______________________________________
>
msg100257 - (view) Author: Brian Curtin (brian.curtin) * (Python committer) Date: 2010-03-01 15:45
Even if we changed the ACL of the executable, any user could still add malicious code to be executed on import, as the C:\PythonXY directory doesn't require specific privileges for writing to it, and it shouldn't by default. When installed to "C:\Program Files", certain privileges are required to install anything, so regular users can't install third party code or swap out the interpreter. 

If you need the added security, you are more than welcome to choose to install Python to a more secure location. Defaulting to "C:\Program Files" isn't necessary.

See also: issues #1074873 and #818030
msg100288 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2010-03-02 12:26
See also issue 1284316, which is still open, and should probably remain open even though there's no consensus to make a change (yet?).
msg100332 - (view) Author: Hong Chen (kindloaf) Date: 2010-03-03 04:42
Sure. Thank you for the information!

Hong

On Tue, Mar 2, 2010 at 4:26 AM, R. David Murray <report@bugs.python.org> wrote:
>
> R. David Murray <rdmurray@bitdance.com> added the comment:
>
> See also issue 1284316, which is still open, and should probably remain open even though there's no consensus to make a change (yet?).
>
> ----------
> nosy: +ezio.melotti, flox, r.david.murray
> priority:  -> normal
> superseder:  -> Win32: Security problem with default installation directory
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue5802>
> _______________________________________
>
History
Date User Action Args
2010-03-03 04:42:55kindloafsetmessages: + msg100332
2010-03-02 12:26:16r.david.murraysetpriority: normal

nosy: + r.david.murray, ezio.melotti, flox
messages: + msg100288

superseder: Win32: Security problem with default installation directory
2010-03-01 15:45:54brian.curtinsetstatus: open -> closed
resolution: rejected
messages: + msg100257
2010-02-28 20:07:23kindloafsetmessages: + msg100219
2010-02-08 15:23:02brian.curtinsetnosy: + brian.curtin
messages: + msg99047
2010-02-08 06:31:44kindloafsetmessages: + msg99038
2010-02-08 03:14:26brian.curtinsetstage: test needed
2009-04-20 16:42:29kindloafcreate