This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2010年11月21日 16:00 by Gynvael.Coldwind, last changed 2022年04月11日 14:57 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| Python_dir_list.txt | Gynvael.Coldwind, 2010年11月21日 16:00 | List of insecure directories | ||
| Messages (2) | |||
|---|---|---|---|
| msg121947 - (view) | Author: Gynvael Coldwind (Gynvael.Coldwind) | Date: 2010年11月21日 16:00 | |
Hi, Installers I've tested: Python 3.1.2 (signed Sunday, March 21, 2010 12:49:44 AM) Python 2.7 (signed Sunday, July 04, 2010 7:23:45 AM) It seems that Python's Windows installer doesn't correctly set permissions of Python's directories, allowing any user on the system to create a file inside these directories. Using DLL Spoofing method (aka DLL Hijaking or Binary Planting) an unprivileged user can create an arbitrary DLL file (e.g. named python31.dll imported by python.exe) inside that directory, which will get loaded and it's code will get executed when some other user launches any python or the interpreter itself (i.e. this may lead to elevation of privileges). This has been tested and proved to work. Easiest way to check: 1. Install Python on Windows (with NTFS partition) 2. Create a user without any administrative permissions 3. Run a command shell in the context of that user 4. Type: echo.>c:\python31\python31.dll (the name of the directory and DLL file may be different) 5. Run c:\python31\python.exe or any python script from any user You should get the following message: --------------------------- python.exe - Bad Image --------------------------- c:\python31\python31.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support. --------------------------- This proves that the created DLL file was (tried to be) loaded into the context of the process. Main directories ACLs: C:\Users\test>cacls c:\python31 c:\Python31 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R BUILTIN\Users:(CI)(ID)(special access:) FILE_APPEND_DATA BUILTIN\Users:(CI)(ID)(special access:) FILE_WRITE_DATA CREATOR OWNER:(OI)(CI)(IO)(ID)F C:\Users\test>cacls c:\python27 c:\Python27 NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F BUILTIN\Users:(OI)(CI)(ID)R BUILTIN\Users:(CI)(ID)(special access:) FILE_APPEND_DATA BUILTIN\Users:(CI)(ID)(special access:) FILE_WRITE_DATA CREATOR OWNER:(OI)(CI)(IO)(ID)F These directories SHOULD NOT allow Users to FILE_APPEND_DATA or FILE_WRITE_DATA. Suggested fix: The installer should make sure the FILE_APPEND_DATA and FILE_WRITE_DATA rights are not present in any directories ACLs. Attached: List of directories found to be insecure (i.e. everyone can create a file there). |
|||
| msg121965 - (view) | Author: Martin v. Löwis (loewis) * (Python committer) | Date: 2010年11月21日 19:17 | |
This is a duplicate of issue1284316 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:57:09 | admin | set | github: 54700 |
| 2010年11月21日 19:17:17 | loewis | set | status: open -> closed resolution: duplicate superseder: Win32: Security problem with default installation directory messages: + msg121965 |
| 2010年11月21日 18:41:05 | eric.smith | set | nosy:
+ eric.smith |
| 2010年11月21日 16:49:35 | pitrou | set | nosy:
+ loewis |
| 2010年11月21日 16:00:53 | Gynvael.Coldwind | create | |