New submission from anandbhat: The Python 3.5.2 Windows x86-64 executable installer (MD5: 4da6dbc8e43e2249a0892d257e977291) downloaded from https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe is vulnerable to DLL hijacking.
The installer attempts to load DLLs from the current directory, which in most cases, is the Downloads directory. As explained in http://blog.opensecurityresearch.com/2014/01/unsafe-dll-loading-vulnerabilities.html and https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/, installers that are vulnerable to DLL hijacking can be used to load untrusted and malicious DLLs. A maliciously crafted DLL when dropped into the user's Downloads directory will be executed by this installer. System used for testing: Windows 10 Steps to reproduce: 1. Download a dummy DLL file for this demo -- version.dll -- from https://www.dropbox.com/s/3l5qwz7ppevs9za/version.dll?dl=0 and place it in the default Downloads directory. Virustotal report for this file: https://www.virustotal.com/en/file/29b51fdb8e498ef5d3fe05e924e23fcaffa554d64fb024b042101236028242b0/analysis/1467171188/ 2. Download the Python 3.5.2 Windows x86-64 executable installer (MD5: 4da6dbc8e43e2249a0892d257e977291) from https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe and save it to the default Downloads directory (e.g., C:\Users\xxx\Downloads) 3. Attempt to run the downloaded installer. 4. Windows loads version.dll placed in step [1]. This is just one of several DLLs that can be exploited. Attached are screen captures from Process Monitor (https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) in a Windows 10 environment with filters (listed below) that show the DLLs looked for by the installer in the Downloads directory. Process Monitor filters: Inclusion: Process Name beginswith python, Path beginswith <path to Downloads directory> Operation is Load Image Operation is CreateImage Exclusion: Path endswith .ini Path contains .exe ---------- components: Installation files: Python_3.5.2_64_exe_DLL_Hijack.PNG messages: 269461 nosy: anandbhat priority: normal severity: normal status: open title: DLL hijacking vulnerability in Python 3.5.2 installer type: security versions: Python 3.5 Added file: http://bugs.python.org/file43574/Python_3.5.2_64_exe_DLL_Hijack.PNG _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27410> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
