Python 3.5.1 DLL Hijacking

Type packetstorm
Reporter Stefan Kanthak
Modified 2016-01-16T00:00:00


                                            `Hi @ll,  
the executable installers python-3.5.1-webinstall.exe and  
python-3.5.1.exe available on  
<> load and execute  
multiple DLLs from their "application directory".  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
and <> for "prior art"  
about this well-known and well-documented vulnerability.  
If an attacker places one of these DLLs in the users "Downloads"  
directory (for example per drive-by download or social engineering)  
this vulnerability becomes a remote code execution.  
Proof of concept/demonstration:  
(verified on Windows XP, Windows Vista, Windows 7, Windows Server  
2008 [R2]; should work on newer versions too)  
1. visit <>, download  
<> and store  
it as FEClient.dll in your "Downloads" directory, then copy it  
as ClbCatQ.dll (Windows NT 5.x) or ProfAPI.dll (Windows NT 6.x);  
2. download python-3.5.1-webinstall.exe and python-3.5.1.exe and  
store them in your "Downloads" directory;  
3. run python-3.5.1-webinstall.exe and python-3.5.1.exe from your  
"Downloads" directory;  
4. notice the message boxes displayed from the DLLs placed in step 1.  
5. copy FEClient.dll as MSI.dll and Version.dll;  
6. rerun python-3.5.1-webinstall.exe and python-3.5.1.exe from your  
"Downloads" directory.  
The denial of service from step 6. can easily be turned into an  
arbitrary code execution: just create an MSI.dll or Version.dll  
with the exports referenced from the executable installers.  
For this well-known (trivial, easy to avoid, easy to detect and  
easy to fix) beginner's error see  
<> and  
<> plus  
Additionally python-3.5.1-webinstall.exe and python-3.5.1.exe  
create the UNSAFE temporary directories  
respectively where they unpack some files and a DLL for execution.  
An unprivileged user can overwrite/modify these files and the DLL  
between their extraction and use/execution.  
PWNED once more!  
For this well-known (trivial, easy to avoid, easy to detect and  
easy to fix) beginner's error see  
<> ...  
See <>,  
<> and  
<> plus  
<> and the still unfinished  
<!execute.html> for more details and why  
executable installers (and self-extractors too) are bad and should be  
stay tuned  
Stefan Kanthak  
2015-11-13 report sent to  
2015-11-13 auto-response from  
"will investigate and reply ASAP"  
2015-12-23 requested status from vendor  
"How do you define ASAP?"  
NO ANSWER, not even an acknowledgement of receipt  
2016-01-15 report published