This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Gynvael.Coldwind
Recipients Gynvael.Coldwind
Date 2010-11-21.16:00:53
SpamBayes Score 1.5470514e-11
Marked as misclassified No
Message-id <1290355258.56.0.17518339561.issue10491@psf.upfronthosting.co.za>
In-reply-to
Content
Hi,

Installers I've tested:
Python 3.1.2 (signed Sunday, March 21, 2010 12:49:44 AM)
Python 2.7 (signed Sunday, July 04, 2010 7:23:45 AM)

It seems that Python's Windows installer doesn't correctly set permissions of Python's directories, allowing any user on the system to create a file inside these directories.

Using DLL Spoofing method (aka DLL Hijaking or Binary Planting) an unprivileged user can create an arbitrary DLL file (e.g. named python31.dll imported by python.exe) inside that directory, which will get loaded and it's code will get executed when some other user launches any python or the interpreter itself (i.e. this may lead to elevation of privileges).
This has been tested and proved to work.

Easiest way to check:
1. Install Python on Windows (with NTFS partition)
2. Create a user without any administrative permissions
3. Run a command shell in the context of that user
4. Type: echo.>c:\python31\python31.dll (the name of the directory and DLL file may be different)
5. Run c:\python31\python.exe or any python script from any user
You should get the following message:

---------------------------
python.exe - Bad Image
---------------------------
c:\python31\python31.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. 
---------------------------

This proves that the created DLL file was (tried to be) loaded into the context of the process. 


Main directories ACLs:
C:\Users\test>cacls c:\python31
c:\Python31 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
            BUILTIN\Administrators:(OI)(CI)(ID)F
            BUILTIN\Users:(OI)(CI)(ID)R
            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_APPEND_DATA

            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_WRITE_DATA

            CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Users\test>cacls c:\python27
c:\Python27 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
            BUILTIN\Administrators:(OI)(CI)(ID)F
            BUILTIN\Users:(OI)(CI)(ID)R
            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_APPEND_DATA

            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_WRITE_DATA

            CREATOR OWNER:(OI)(CI)(IO)(ID)F

These directories SHOULD NOT allow Users to FILE_APPEND_DATA or FILE_WRITE_DATA.

Suggested fix:
The installer should make sure the FILE_APPEND_DATA and FILE_WRITE_DATA rights are not present in any directories ACLs.

Attached: List of directories found to be insecure (i.e. everyone can create a file there).
History
Date User Action Args
2010-11-21 16:00:59Gynvael.Coldwindsetrecipients: + Gynvael.Coldwind
2010-11-21 16:00:58Gynvael.Coldwindsetmessageid: <1290355258.56.0.17518339561.issue10491@psf.upfronthosting.co.za>
2010-11-21 16:00:53Gynvael.Coldwindlinkissue10491 messages
2010-11-21 16:00:53Gynvael.Coldwindcreate