[New-bugs-announce] [issue27410] DLL hijacking vulnerability in Python 3.5.2 installer

anandbhat report at bugs.python.org
Tue Jun 28 23:50:44 EDT 2016 

New submission from anandbhat:

The Python 3.5.2 Windows x86-64 executable installer (MD5: 4da6dbc8e43e2249a0892d257e977291) downloaded from https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe is vulnerable to DLL hijacking.

The installer attempts to load DLLs from the current directory, which in most cases, is the Downloads directory. As explained in http://blog.opensecurityresearch.com/2014/01/unsafe-dll-loading-vulnerabilities.html and https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/, installers that are vulnerable to DLL hijacking can be used to load untrusted and malicious DLLs. A maliciously crafted DLL when dropped into the user's Downloads directory will be executed by this installer.

System used for testing: Windows 10

Steps to reproduce:

1. Download a dummy DLL file for this demo -- version.dll -- from https://www.dropbox.com/s/3l5qwz7ppevs9za/version.dll?dl=0 and place it in the default Downloads directory. Virustotal report for this file: https://www.virustotal.com/en/file/29b51fdb8e498ef5d3fe05e924e23fcaffa554d64fb024b042101236028242b0/analysis/1467171188/

2. Download the Python 3.5.2 Windows x86-64 executable installer (MD5: 4da6dbc8e43e2249a0892d257e977291) from https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe and save it to the default Downloads directory (e.g., C:\Users\xxx\Downloads)

3. Attempt to run the downloaded installer.

4. Windows loads version.dll placed in step [1]. This is just one of several DLLs that can be exploited.

Attached are screen captures from Process Monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) in a Windows 10 environment with filters (listed below) that show the DLLs looked for by the installer in the Downloads directory.

Process Monitor filters:
Inclusion:

Process Name beginswith python,
Path beginswith <path to Downloads directory>
Operation is Load Image
Operation is CreateImage
Exclusion:

Path endswith .ini
Path contains .exe

----------
components: Installation
files: Python_3.5.2_64_exe_DLL_Hijack.PNG
messages: 269461
nosy: anandbhat
priority: normal
severity: normal
status: open
title: DLL hijacking vulnerability in Python 3.5.2 installer
type: security
versions: Python 3.5
Added file: http://bugs.python.org/file43574/Python_3.5.2_64_exe_DLL_Hijack.PNG

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27410>
_______________________________________

More information about the New-bugs-announce mailing list