New submission from Chi Hsuan Yen:
Originally reported at https://github.com/rg3/youtube-dl/issues/7951
Steps to reproduce:
1. Build 99665:dcf9e9ae5393 with Visual Studio 2015
2. Download and extract PsTools [1]
3. PsExec.exe -l python.exe
4. In Python, run:
import _ssl
_ssl.enum_certificates("CA")
_ssl.enum_crls("CA")
Results:
Python 3.6.0a0 (default, Dec 25 2015, 02:42:42) [MSC v.1900 32 bit (Intel)] on
win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import _ssl
>>> _ssl.enum_certificates("CA")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
PermissionError: [WinError 5] Access is denied
>>> _ssl.enum_crls("CA")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
PermissionError: [WinError 5] Access is denied
>>>
Windows Vista and above have a security mechanism called "Low Integrity Level".
[2] With that, only some specific registry keys are writable. In the original
_ssl.c, both enum_certificates() and enum_crls() calls CertOpenSystemStore().
At least on my system CertOpenSystemStore() tries to open
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA with read/write
permissions. (Observed with Process Monitor [3]) The request fails in Low
Integrity Level processes as it's not in the range of writable registry keys.
Here I propose a fix: open certificate stores with the read-only flag. There
are some points I'm not sure in this patch:
1. CERT_STORE_PROV_SYSTEM_A: I guess strings are bytestrings in C level?
2. CERT_SYSTEM_STORE_LOCAL_MACHINE: In accounts of Administrators,
CertOpenSystemStore() tries to open keys under HKLM only, while in restricted
(standard) accounts, this function tries to open keys under HKCU with R/W
permission and keys under HKLM read-only. I think open system global stores is
OK here.
A different perspective: Wine developers always open keys under HKCU in
CertOpenSystemStore()
Environment: Windows 7 SP1 (6.1.7601) x86, an account in Administrators group.
Tested with python.exe Lib\test\test_ssl.py both in a normal shell and within
`PsExec -l`
Ref: issue17134, where these codes appear the first time
[1] https://technet.microsoft.com/en-us/sysinternals/pstools.aspx
[2] https://msdn.microsoft.com/en-us/library/bb625960.aspx
[3] https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
[4] https://github.com/wine-mirror/wine/blob/master/dlls/crypt32/store.c
----------
components: Extension Modules, Windows
files: open-system-store-readonly.patch
keywords: patch
messages: 256968
nosy: Chi Hsuan Yen, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: _ssl.enum_certificates() fails with ERROR_ACCESS_DENIED if python.exe
run with low integrity level
type: crash
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file41405/open-system-store-readonly.patch
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue25939>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
