Executable installers are vulnerable^WEVIL (case 22): python.org's executable installers allow arbitrary (remote) code execution Jan 15 2016 01:36PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

the executable installers python-3.5.1-webinstall.exe and
python-3.5.1.exe available on
<https://www.python.org/downloads/windows/> load and execute
multiple DLLs from their "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art"
about this well-known and well-documented vulnerability.

If an attacker places one of these DLLs in the users "Downloads"
directory (for example per drive-by download or social engineering)
this vulnerability becomes a remote code execution.

Proof of concept/demonstration:

(verified on Windows XP, Windows Vista, Windows 7, Windows Server
2008 [R2]; should work on newer versions too)

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL> and store
it as FEClient.dll in your "Downloads" directory, then copy it
as ClbCatQ.dll (Windows NT 5.x) or ProfAPI.dll (Windows NT 6.x);

2. download python-3.5.1-webinstall.exe and python-3.5.1.exe and
store them in your "Downloads" directory;

3. run python-3.5.1-webinstall.exe and python-3.5.1.exe from your
"Downloads" directory;

4. notice the message boxes displayed from the DLLs placed in step 1.


5. copy FEClient.dll as MSI.dll and Version.dll;

6. rerun python-3.5.1-webinstall.exe and python-3.5.1.exe from your
"Downloads" directory.


The denial of service from step 6. can easily be turned into an
arbitrary code execution: just create an MSI.dll or Version.dll
with the exports referenced from the executable installers.

For this well-known (trivial, easy to avoid, easy to detect and
easy to fix) beginner's error see
<https://msdn.microsoft.com/en-us/library/ff919712.aspx> and
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> plus

Additionally python-3.5.1-webinstall.exe and python-3.5.1.exe
create the UNSAFE temporary directories
vely where they unpack some files and a DLL for execution.
An unprivileged user can overwrite/modify these files and the DLL
between their extraction and use/execution.

PWNED once more!

For this well-known (trivial, easy to avoid, easy to detect and
easy to fix) beginner's error see
<https://capec.mitre.org/data/definitions/29.html> ...

See <http://seclists.org/fulldisclosure/2015/Nov/101>,
<http://seclists.org/fulldisclosure/2015/Dec/86> and
<http://seclists.org/fulldisclosure/2015/Dec/121> plus
<http://home.arcor.de/skanthak/sentinel.html> and the still unfinished
<http://home.arcor.de/skanthak/!execute.html> for more details and why
executable installers (and self-extractors too) are bad and should be

stay tuned
Stefan Kanthak


2015-11-13 report sent to python.org

2015-11-13 auto-response from python.org
"will investigate and reply ASAP"

2015-12-23 requested status from vendor
"How do you define ASAP?"

NO ANSWER, not even an acknowledgement of receipt

2016-01-15 report published

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus