Python 3.5.1 DLL Hijacking
Posted on 20 January 2016
Hi @ll, the executable installers python-3.5.1-webinstall.exe and python-3.5.1.exe available on <https://www.python.org/downloads/windows/> load and execute multiple DLLs from their "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If an attacker places one of these DLLs in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (verified on Windows XP, Windows Vista, Windows 7, Windows Server 2008 [R2]; should work on newer versions too) 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and store it as FEClient.dll in your "Downloads" directory, then copy it as ClbCatQ.dll (Windows NT 5.x) or ProfAPI.dll (Windows NT 6.x); 2. download python-3.5.1-webinstall.exe and python-3.5.1.exe and store them in your "Downloads" directory; 3. run python-3.5.1-webinstall.exe and python-3.5.1.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! 5. copy FEClient.dll as MSI.dll and Version.dll; 6. rerun python-3.5.1-webinstall.exe and python-3.5.1.exe from your "Downloads" directory. DOSSED! The denial of service from step 6. can easily be turned into an arbitrary code execution: just create an MSI.dll or Version.dll with the exports referenced from the executable installers. For this well-known (trivial, easy to avoid, easy to detect and easy to fix) beginner's error see <https://capec.mitre.org/data/definitions/471.html>, <https://technet.microsoft.com/en-us/library/2269637.aspx>, <https://msdn.microsoft.com/en-us/library/ff919712.aspx> and <https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx> Additionally python-3.5.1-webinstall.exe and python-3.5.1.exe create the UNSAFE temporary directories %TEMP%{a75b6a1c-5ef0-42f0-ae73-516b23a1d753}.b<letter><number> and %TEMP%{c39d559b-aa83-4476-ba20-988a35a1199a}.b<letter><number> respectively where they unpack some files and a DLL for execution. An unprivileged user can overwrite/modify these files and the DLL between their extraction and use/execution. PWNED once more! For this well-known (trivial, easy to avoid, easy to detect and easy to fix) beginner's error see <https://cwe.mitre.org/data/definitions/377.html>, <https://cwe.mitre.org/data/definitions/379.html>, <https://capec.mitre.org/data/definitions/27.html>, <https://capec.mitre.org/data/definitions/29.html> ... See <http://seclists.org/fulldisclosure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and <http://seclists.org/fulldisclosure/2015/Dec/121> plus <http://home.arcor.de/skanthak/sentinel.html> and the still unfinished <http://home.arcor.de/skanthak/!execute.html> for more details and why executable installers (and self-extractors too) are bad and should be dumped. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-11-13 report sent to python.org 2015-11-13 auto-response from python.org "will investigate and reply ASAP" 2015-12-23 requested status from vendor "How do you define ASAP?" NO ANSWER, not even an acknowledgement of receipt 2016-01-15 report published
