lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 6 Apr 2021 15:57:23 +0800
From: houjingyi <houjingyi647@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] python embedded program local arbitrary python script
	execution on windows

environment: windows 10, python3.8.7 installed to "C:\Program
Files\Python38".

datail info: According to https://docs.python.org/3/c-api/init.html:
"Py_SetPath() set the default module search path. If this function is
called before Py_Initialize(), then Py_GetPath() won’t attempt to compute a
default search path but uses the one provided instead."
Write following code that only call Py_Initialize():

#include <iostream>
#include <Python.h>
#include <Windows.h>
using namespace std;
int main()
{
Py_Initialize();
}

In visual studio add "C:\Program Files\Python38\include" to
AdditionalIncludeDirectories, add "C:\Program
Files\Python38\libs\python38.lib" to AdditionalDependencies to compile it
to poc.exe. Copy "C:\Program Files\Python38\Lib" to "C:\Lib" and modify
"C:\Lib\os.py" to execute any code we like. For example we can add "import
os" and add "os.system(notepad)" in function "def _exists(name)". Now run
poc.exe it will create notepad.

impact: In my report I showed that a python embedded program may load
"C:\Lib\os.py" which lower privileged user can control. If this program
runs as administrator then this may cause vertical privilege escalation,
low privileged user gets higher privilege; If this program do not run as
administrator then this may cause vertical privilege escalation, low
privileged user can execute code as others(
https://en.wikipedia.org/wiki/Privilege_escalation). In either case, the
access control of the windows system is broken.

notice: The report was sent to security@...hon.org before and they
suggested it can be reported publicly.

python issue I created : https://bugs.python.org/issue42902
It seems that they do not intend to fix this problem.

I also uploaded a video using IDA Pro 7.5 as example :
https://www.youtube.com/watch?v=cv9Ye8UmfF4

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists