Python 3.5.1 DLL Hijacking

2016-01-16T00:00:00
ID PACKETSTORM:135299
Type packetstorm
Reporter Stefan Kanthak
Modified 2016-01-16T00:00:00

Description

                                        
                                            `Hi @ll,  
  
the executable installers python-3.5.1-webinstall.exe and  
python-3.5.1.exe available on  
<https://www.python.org/downloads/windows/> load and execute  
multiple DLLs from their "application directory".  
  
  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"  
about this well-known and well-documented vulnerability.  
  
  
If an attacker places one of these DLLs in the users "Downloads"  
directory (for example per drive-by download or social engineering)  
this vulnerability becomes a remote code execution.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
(verified on Windows XP, Windows Vista, Windows 7, Windows Server  
2008 [R2]; should work on newer versions too)  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and store  
it as FEClient.dll in your "Downloads" directory, then copy it  
as ClbCatQ.dll (Windows NT 5.x) or ProfAPI.dll (Windows NT 6.x);  
  
2. download python-3.5.1-webinstall.exe and python-3.5.1.exe and  
store them in your "Downloads" directory;  
  
3. run python-3.5.1-webinstall.exe and python-3.5.1.exe from your  
"Downloads" directory;  
  
4. notice the message boxes displayed from the DLLs placed in step 1.  
  
PWNED!  
  
  
5. copy FEClient.dll as MSI.dll and Version.dll;  
  
6. rerun python-3.5.1-webinstall.exe and python-3.5.1.exe from your  
"Downloads" directory.  
  
DOSSED!  
  
  
The denial of service from step 6. can easily be turned into an  
arbitrary code execution: just create an MSI.dll or Version.dll  
with the exports referenced from the executable installers.  
  
  
For this well-known (trivial, easy to avoid, easy to detect and  
easy to fix) beginner's error see  
<https://capec.mitre.org/data/definitions/471.html>,  
<https://technet.microsoft.com/en-us/library/2269637.aspx>,  
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and  
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus  
<http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>  
  
  
Additionally python-3.5.1-webinstall.exe and python-3.5.1.exe  
create the UNSAFE temporary directories  
%TEMP%\{a75b6a1c-5ef0-42f0-ae73-516b23a1d753}\.b<letter><number>\  
and  
%TEMP%\{c39d559b-aa83-4476-ba20-988a35a1199a}\.b<letter><number>\  
respectively where they unpack some files and a DLL for execution.  
An unprivileged user can overwrite/modify these files and the DLL  
between their extraction and use/execution.  
  
PWNED once more!  
  
  
For this well-known (trivial, easy to avoid, easy to detect and  
easy to fix) beginner's error see  
<https://cwe.mitre.org/data/definitions/377.html>,  
<https://cwe.mitre.org/data/definitions/379.html>,  
<https://capec.mitre.org/data/definitions/27.html>,  
<https://capec.mitre.org/data/definitions/29.html> ...  
  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101>,  
<http://seclists.org/fulldisclosure/2015/Dec/86> and  
<http://seclists.org/fulldisclosure/2015/Dec/121> plus  
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished  
<http://home.arcor.de/skanthak/!execute.html> for more details and why  
executable installers (and self-extractors too) are bad and should be  
dumped.  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2015-11-13 report sent to python.org  
  
2015-11-13 auto-response from python.org  
"will investigate and reply ASAP"  
  
2015-12-23 requested status from vendor  
"How do you define ASAP?"  
  
NO ANSWER, not even an acknowledgement of receipt  
  
2016-01-15 report published  
`