Author eryksun
Recipients Tibor Csonka, anthonywee, eryksun, larry, lukasz.langa, miss-islington, ned.deily, paul.moore, steve.dower, tim.golden, vstinner, zach.ware
Date 2020-07-18.21:01:02
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1595106063.11.0.641637489719.issue29778@roundup.psfhosted.org>
In-reply-to
Content
> If you can put files in the root of the hard drive where Windows was
> installed, surely you have other, easier attack vectors.

A rooted path is resolved relative to the process working directory, and Python can be started with any current working directory. 

The default access control set on the root directory of a filesystem allows any authenticated user to create files or directories, such as "D:\python3.dll". That's if a filesystem even supports security. Removable drives are often formatted as FAT32 or exFAT, and FAT filesystems have no security.

The system drive (almost always "C:") has to be an NTFS filesystem, and its root directory is locked down a bit more. It's at high integrity level with a no-write-up rule for files, but not for directories. Only a logon at elevated integrity level (high or system level) can create "C:\python3.dll". OTOH, any authenticated user is still allowed to create a directory, such as "C:\DLLs", and is granted the right to create files in it such as "C:\DLLs\python3.dll".
History
Date User Action Args
2020-07-18 21:01:03eryksunsetrecipients: + eryksun, paul.moore, vstinner, larry, tim.golden, ned.deily, lukasz.langa, zach.ware, steve.dower, Tibor Csonka, miss-islington, anthonywee
2020-07-18 21:01:03eryksunsetmessageid: <1595106063.11.0.641637489719.issue29778@roundup.psfhosted.org>
2020-07-18 21:01:03eryksunlinkissue29778 messages
2020-07-18 21:01:02eryksuncreate