[New-bugs-announce] [issue42902] a python embedded program may load "C:\Lib\os.py" on windows system
report at bugs.python.org
Mon Jan 11 22:58:43 EST 2021
New submission from houjingyi <houjingyi647 at gmail.com>:
environment: windows 10, python3.8.7 installed to "C:\Program Files\Python38".
datail info: According to https://docs.python.org/3/c-api/init.html: "Py_SetPath() set the default module search path. If this function is called before Py_Initialize(), then Py_GetPath() won’t attempt to compute a default search path but uses the one provided instead."
Write following code that only call Py_Initialize():
using namespace std;
In visual studio add "C:\Program Files\Python38\include" to AdditionalIncludeDirectories, add "C:\Program Files\Python38\libs\python38.lib" to AdditionalDependencies to compile it to poc.exe. Copy "C:\Program Files\Python38\Lib" to "C:\Lib" and modify "C:\Lib\os.py" to execute any code we like. For example we can add "import os" and add "os.system(notepad)" in function "def _exists(name)". Now run poc.exe it will create notepad.
impact: In my report I showed that a python embedded program may load "C:\Lib\os.py" which lower privileged user can control. If this program runs as administrator then this may cause vertical privilege escalation, low privileged user gets higher privilege; If this program do not run as administrator then this may cause vertical privilege escalation, low privileged user can execute code as others(https://en.wikipedia.org/wiki/Privilege_escalation). In either case, the access control of the windows system is broken.
notice: The report was sent to security at python.org before and they suggested it can be reported publicly.
components: C API
title: a python embedded program may load "C:\Lib\os.py" on windows system
versions: Python 3.8
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce