[issue27410] DLL hijacking vulnerability in Python 3.5.2 installer

2016-06-28 Thread anandbhat 

New submission from anandbhat:

The Python 3.5.2 Windows x86-64 executable installer (MD5: 
4da6dbc8e43e2249a0892d257e977291) downloaded from 
https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe is vulnerable to 
DLL hijacking.

The installer attempts to load DLLs from the current directory, which in most 
cases, is the Downloads directory. As explained in 
http://blog.opensecurityresearch.com/2014/01/unsafe-dll-loading-vulnerabilities.html
 and https://textslashplain.com/2015/12/18/dll-hijacking-just-wont-die/, 
installers that are vulnerable to DLL hijacking can be used to load untrusted 
and malicious DLLs. A maliciously crafted DLL when dropped into the user's 
Downloads directory will be executed by this installer.

System used for testing: Windows 10

Steps to reproduce:

1. Download a dummy DLL file for this demo -- version.dll -- from 
https://www.dropbox.com/s/3l5qwz7ppevs9za/version.dll?dl=0 and place it in the 
default Downloads directory. Virustotal report for this file: 
https://www.virustotal.com/en/file/29b51fdb8e498ef5d3fe05e924e23fcaffa554d64fb024b042101236028242b0/analysis/1467171188/

2. Download the Python 3.5.2 Windows x86-64 executable installer (MD5: 
4da6dbc8e43e2249a0892d257e977291) from 
https://www.python.org/ftp/python/3.5.2/python-3.5.2-amd64.exe and save it to 
the default Downloads directory (e.g., C:\Users\xxx\Downloads)

3. Attempt to run the downloaded installer.

4. Windows loads version.dll placed in step [1]. This is just one of several 
DLLs that can be exploited.

Attached are screen captures from Process Monitor 
(https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx) in a 
Windows 10 environment with filters (listed below) that show the DLLs looked 
for by the installer in the Downloads directory.

Process Monitor filters:
Inclusion:

Process Name beginswith python,
Path beginswith 
Operation is Load Image
Operation is CreateImage
Exclusion:

Path endswith .ini
Path contains .exe

--
components: Installation
files: Python_3.5.2_64_exe_DLL_Hijack.PNG
messages: 269461
nosy: anandbhat
priority: normal
severity: normal
status: open
title: DLL hijacking vulnerability in Python 3.5.2 installer
type: security
versions: Python 3.5
Added file: http://bugs.python.org/file43574/Python_3.5.2_64_exe_DLL_Hijack.PNG

___
Python tracker 
<http://bugs.python.org/issue27410>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27410] DLL hijacking vulnerability in Python 3.5.2 installer

2016-06-28 Thread anandbhat 

Changes by anandbhat :


Added file: 
http://bugs.python.org/file43575/Python_3.5.2_64_exe_version_DLL_Hijack.PNG

___
Python tracker 
<http://bugs.python.org/issue27410>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27410] DLL hijacking vulnerability in Python 3.5.2 installer

2016-06-28 Thread anandbhat 

Changes by anandbhat :


Removed file: 
http://bugs.python.org/file43574/Python_3.5.2_64_exe_DLL_Hijack.PNG

___
Python tracker 
<http://bugs.python.org/issue27410>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue27410] DLL hijacking vulnerability in Python 3.5.2 installer

2016-06-28 Thread anandbhat 

Changes by anandbhat :


Added file: http://bugs.python.org/file43576/Python_3.5.2_64_exe_DLL_Hijack.PNG

___
Python tracker 
<http://bugs.python.org/issue27410>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com