[New-bugs-announce] [issue10491] Insecure Windows python directory permissions

Gynvael Coldwind report at bugs.python.org
Sun Nov 21 17:00:58 CET 2010 

New submission from Gynvael Coldwind <gynvael at gmail.com>:

Hi,

Installers I've tested:
Python 3.1.2 (signed Sunday, March 21, 2010 12:49:44 AM)
Python 2.7 (signed Sunday, July 04, 2010 7:23:45 AM)

It seems that Python's Windows installer doesn't correctly set permissions of Python's directories, allowing any user on the system to create a file inside these directories.

Using DLL Spoofing method (aka DLL Hijaking or Binary Planting) an unprivileged user can create an arbitrary DLL file (e.g. named python31.dll imported by python.exe) inside that directory, which will get loaded and it's code will get executed when some other user launches any python or the interpreter itself (i.e. this may lead to elevation of privileges).
This has been tested and proved to work.

Easiest way to check:
1. Install Python on Windows (with NTFS partition)
2. Create a user without any administrative permissions
3. Run a command shell in the context of that user
4. Type: echo.>c:\python31\python31.dll (the name of the directory and DLL file may be different)
5. Run c:\python31\python.exe or any python script from any user
You should get the following message:

---------------------------
python.exe - Bad Image
---------------------------
c:\python31\python31.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. 
---------------------------

This proves that the created DLL file was (tried to be) loaded into the context of the process. 


Main directories ACLs:
C:\Users\test>cacls c:\python31
c:\Python31 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
            BUILTIN\Administrators:(OI)(CI)(ID)F
            BUILTIN\Users:(OI)(CI)(ID)R
            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_APPEND_DATA

            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_WRITE_DATA

            CREATOR OWNER:(OI)(CI)(IO)(ID)F


C:\Users\test>cacls c:\python27
c:\Python27 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
            BUILTIN\Administrators:(OI)(CI)(ID)F
            BUILTIN\Users:(OI)(CI)(ID)R
            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_APPEND_DATA

            BUILTIN\Users:(CI)(ID)(special access:)
                                  FILE_WRITE_DATA

            CREATOR OWNER:(OI)(CI)(IO)(ID)F

These directories SHOULD NOT allow Users to FILE_APPEND_DATA or FILE_WRITE_DATA.

Suggested fix:
The installer should make sure the FILE_APPEND_DATA and FILE_WRITE_DATA rights are not present in any directories ACLs.

Attached: List of directories found to be insecure (i.e. everyone can create a file there).

----------
components: Installation, Windows
files: Python_dir_list.txt
messages: 121947
nosy: Gynvael.Coldwind
priority: normal
severity: normal
status: open
title: Insecure Windows python directory permissions
type: security
versions: Python 2.7, Python 3.1
Added file: http://bugs.python.org/file19751/Python_dir_list.txt

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue10491>
_______________________________________

More information about the New-bugs-announce mailing list