lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 6 Apr 2021 15:57:23 +0800
From: houjingyi <>
Subject: [FD] python embedded program local arbitrary python script
	execution on windows

environment: windows 10, python3.8.7 installed to "C:\Program

datail info: According to
"Py_SetPath() set the default module search path. If this function is
called before Py_Initialize(), then Py_GetPath() won’t attempt to compute a
default search path but uses the one provided instead."
Write following code that only call Py_Initialize():

#include <iostream>
#include <Python.h>
#include <Windows.h>
using namespace std;
int main()

In visual studio add "C:\Program Files\Python38\include" to
AdditionalIncludeDirectories, add "C:\Program
Files\Python38\libs\python38.lib" to AdditionalDependencies to compile it
to poc.exe. Copy "C:\Program Files\Python38\Lib" to "C:\Lib" and modify
"C:\Lib\" to execute any code we like. For example we can add "import
os" and add "os.system(notepad)" in function "def _exists(name)". Now run
poc.exe it will create notepad.

impact: In my report I showed that a python embedded program may load
"C:\Lib\" which lower privileged user can control. If this program
runs as administrator then this may cause vertical privilege escalation,
low privileged user gets higher privilege; If this program do not run as
administrator then this may cause vertical privilege escalation, low
privileged user can execute code as others( In either case, the
access control of the windows system is broken.

notice: The report was sent to before and they
suggested it can be reported publicly.

python issue I created :
It seems that they do not intend to fix this problem.

I also uploaded a video using IDA Pro 7.5 as example :

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists