[ANN][SECURITY] Local Privilege Escalation in all Windows software frozen by PyInstaller in "onefile" mode

Hartmut Goebel h.goebel at goebel-consult.de
Thu Jan 9 13:47:16 EST 2020 

Severity: high: CVSSv3 score: 7.0
Packages: PyInstaller (Windows)
Affected versions:  <= 3.5
Patched versions: 3.6, available at https://pypi.org/project/PyInstaller/
CVE identifier: CVE-2019-16784


      Impact

*Local Privilege Escalation *in all *Windows software frozen by
PyInstaller* in "onefile" mode, caused by insecure directory permissions
of sys._MEIPATH.

While PyInstaller itself was not vulnerable, *all Windows software
frozen by PyInstaller in “onefile” mode is vulnerable.*

The vulnerability is present only on Windows and in this particular
case: If a /software frozen by PyInstaller in "onefile" mode/**is
launched by a (privileged) user who has /his/her "TempPath" resolving to
a world writable directory/. This is the case e.g. if the software is
launched as a service or as a scheduled task using a system account (in
which case TempPath will default to C:\Windows\Temp).

In order to be exploitable the software has to be (re)started after the
attacker has launched the exploit program. So for a service launched at
startup, a service restart is needed (e.g. after a crash or an upgrade).

While PyInstaller itself was not vulnerable, all Windows software frozen
by PyInstaller in "onefile" mode is vulnerable.

CVSSv3 score: 7.0 (High)
CVSSv3 vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H


      Patches

The problem is patched in commits 42a67148b3bdf9 (fixed code)
<https://github.com/pyinstaller/pyinstaller/commit/42a67148b3bdf9211fda8499fdc5b63acdd7e6cc>
and be948cf09547 (recompiled bootloaders)
<https://github.com/pyinstaller/pyinstaller/commit/be948cf0954707671aa499da17b10c86b6fa5e5c>.
Users should upgrade to PyInstaller version 3.6 and rebuild their
software. The new version is available at
https://pypi.org/project/PyInstaller/


      Workarounds

There is no known workaround: Users using PyInstaller to freeze their
Windows software using "onefile" mode should upgrade PyInstaller and
rebuild their software. The new version is available at
https://pypi.org/project/PyInstaller/


      Credits

This vulnerability was discovered and reported by Farid AYOUJIL
(@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from
Alter Solutions (@AlterSolutions) and fixed in collaboration with
Hartmut Goebel (@htgoebel, maintainer of PyInstaller).


      Funding Development

PyInstaller is in urgent need of funding to make future security fixes
happen, see <https://github.com/pyinstaller/pyinstaller/issues/4404> for
details.

-- 
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP, ISO 27001 Lead Implementer
Information Security Management, Security Governance, Secure Software
Development

Goebel Consult, Landshut
http://www.goebel-consult.de

Blog: https://www.goe-con.de/blog/e-mails-weiterhin-verschlusseln
Kolumne:
https://www.goe-con.de/hartmut-goebel/cissp-gefluester/2010-11-it-sicherheit-im-unternehmen-eine-interne-oder-externe-angelegenheit

More information about the Python-list mailing list