[New-bugs-announce] [issue27410] DLL hijacking vulnerability in Python 3.5.2 installer
anandbhat
report at bugs.python.org
Tue Jun 28 23:50:44 EDT 2016
New submission from anandbhat:
The Python 3.5.2 Windows x86-64 executable installer (MD5: 4da6dbc8e43e2249a0892d257e977291) downloaded from https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe is vulnerable to DLL hijacking.
The installer attempts to load DLLs from the current directory, which in most cases, is the Downloads directory. As explained in http://blog.opensecurityresearch.com/2014/01/unsafe-dll-loading-vulnerabilities.html and https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/, installers that are vulnerable to DLL hijacking can be used to load untrusted and malicious DLLs. A maliciously crafted DLL when dropped into the user's Downloads directory will be executed by this installer.
System used for testing: Windows 10
Steps to reproduce:
1. Download a dummy DLL file for this demo -- version.dll -- from https://www.dropbox.com/s/3l5qwz7ppevs9za/version.dll?dl=0 and place it in the default Downloads directory. Virustotal report for this file: https://www.virustotal.com/en/file/29b51fdb8e498ef5d3fe05e924e23fcaffa554d64fb024b042101236028242b0/analysis/1467171188/
2. Download the Python 3.5.2 Windows x86-64 executable installer (MD5: 4da6dbc8e43e2249a0892d257e977291) from https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe and save it to the default Downloads directory (e.g., C:\Users\xxx\Downloads)
3. Attempt to run the downloaded installer.
4. Windows loads version.dll placed in step [1]. This is just one of several DLLs that can be exploited.
Attached are screen captures from Process Monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) in a Windows 10 environment with filters (listed below) that show the DLLs looked for by the installer in the Downloads directory.
Process Monitor filters:
Inclusion:
Process Name beginswith python,
Path beginswith <path to Downloads directory>
Operation is Load Image
Operation is CreateImage
Exclusion:
Path endswith .ini
Path contains .exe
----------
components: Installation
files: Python_3.5.2_64_exe_DLL_Hijack.PNG
messages: 269461
nosy: anandbhat
priority: normal
severity: normal
status: open
title: DLL hijacking vulnerability in Python 3.5.2 installer
type: security
versions: Python 3.5
Added file: http://bugs.python.org/file43574/Python_3.5.2_64_exe_DLL_Hijack.PNG
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27410>
_______________________________________
More information about the New-bugs-announce
mailing list