[CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath

[dd0818be-c5c5-4cc4-a7bc-2f3d23adb9f3]

BPO	29778
Nosy	@pfmoore, @vstinner, @larryhastings, @tjguk, @ned-deily, @ambv, @zware, @eryksun, @zooba, @miss-islington, @anthonywee
PRs	python/cpython#17818 python/cpython#17871 python/cpython#21297 python/cpython#21298 python/cpython#21306 python/cpython#21351 python/cpython#21352 python/cpython#21354 python/cpython#21377

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = 'https://github.com/zooba' closed_at = created_at = labels = ['type-security', '3.8', '3.9', '3.10', 'release-blocker', '3.7', 'OS-windows'] title = '[CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath' updated_at = user = 'https://bugs.python.org/TiborCsonka' ``` bugs.python.org fields: ```python activity = actor = 'larry' assignee = 'steve.dower' closed = True closed_date = closer = 'steve.dower' components = ['Windows'] creation = creator = 'Tibor Csonka' dependencies = [] files = [] hgrepos = [] issue_num = 29778 keywords = ['patch'] message_count = 37.0 messages = ['289334', '289364', '289412', '343638', '359136', '359245', '359438', '359439', '359440', '359441', '359498', '359544', '359549', '359550', '372555', '372556', '372595', '372596', '372961', '373138', '373142', '373147', '373150', '373155', '373156', '373164', '373213', '373214', '373228', '373257', '373618', '373757', '373789', '373919', '374024', '374029', '374785'] nosy_count = 12.0 nosy_names = ['paul.moore', 'vstinner', 'larry', 'tim.golden', 'ned.deily', 'lukasz.langa', 'zach.ware', 'eryksun', 'steve.dower', 'Tibor Csonka', 'miss-islington', 'anthonywee'] pr_nums = ['17818', '17871', '21297', '21298', '21306', '21351', '21352', '21354', '21377'] priority = 'release blocker' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = 'security' url = 'https://bugs.python.org/issue29778' versions = ['Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9', 'Python 3.10'] ```

[dd0818be-c5c5-4cc4-a7bc-2f3d23adb9f3]

When Py_SetPath is used to set up module path at initialization, the Py_SetPath causes getpathp.c::calculate_path not to be called. However, calculate path is the only function calling getpathp.c::get_progpath which initializes the local dllpath static variable.

Later the interpreter tries to load python3.dll and uses dllpath which is empty by default. This empty path gets joined with \python3.dll and \DLLs\python3.dll which is used in the LoadLibraryExW resulting in loading python3.dll from the root location of the windows drive the application is running from.

The behavior was reproduced using PyInstaller but it is present in any embedding application which uses Py_SetPath.

[zooba]

I thought we'd documented that if you set the path when embedding you should also set the program name, but perhaps not (didn't check just now). If not, we should do that.

We shouldn't be loading python3.dll anywhere. Are you sure that's in CPython? Do you have a reference to the source file?

[zooba]

Ah, I see. We force load it in PC/getpathp.c to ensure that it's ours and not another version's python3.dll.

We should probably refactor the GetModuleFileNameW call into its own function so we can call it from anywhere we need.

[vstinner]

When Py_SetPath is used to set up module path at initialization, the Py_SetPath causes getpathp.c::calculate_path not to be called. However, calculate path is the only function calling getpathp.c::get_progpath which initializes the local dllpath static variable.

I fixed this issue in Python 3.8 with this commit:

commit 410759fba80aded5247b693c60745aa16906f3bb Author: Victor Stinner \vstinner@redhat.com\ Date: Sat May 18 04:17:01 2019 +0200

bpo-36763: Remove _PyCoreConfig.dll_path (GH-13402)

I modified Py_SetPath() like that:

• new_config.dll_path = _PyMem_RawWcsdup(L""); + new_config.dll_path = _Py_GetDLLPath();

Py_SetPath() no longer sets dll_path to an empty string.

Since we only got one bug report and I believe that Tibor Csonka found a way to workaround the issue since he reported it, I close the issue.

Please reopen/comment the issue if you would like to get this issue fixed in Python 3.7 as well.

--

Moreover, the PEP-587 now has a better API to configure embedded Python. I just implemented this PEP in bpo-36763.

[7e52fd51-f543-40ba-81e4-59e14744df80]

It looks like there has been a regression in the fix for this issue.

The commit below introduced a NULL check which causes a call to _PyPathConfig_Init() to be skipped if _Py_dll_path == NULL. It seems like the check should be "if (_Py_dll_path != NULL)"?

https://github.com/python/cpython/commit/c422167749f92d4170203e996a2c619c818335ea#diff-87aed37b4704d4e1513be6378c9c7fe6R169

[zooba]

It looks like there has been a regression in the fix for this issue.

You're right. Care to create a pull request to fix it?

[zooba]

New changeset 7b79dc9200a19ecbac667111dffd58e314be02a8 by Steve Dower (Anthony Wee) in branch 'master': bpo-29778: Fix incorrect NULL check in _PyPathConfig_InitDLLPath() (GH-17818) https://github.com/python/cpython/commit/7b79dc9200a19ecbac667111dffd58e314be02a8

[zooba]

Thanks, Anthony! And congratulations on becoming a CPython contributor!

[miss-islington]

New changeset a9a43c221bf3896ed1d1c2eee2531b7121cf78e4 by Miss Islington (bot) in branch '3.8': bpo-29778: Fix incorrect NULL check in _PyPathConfig_InitDLLPath() (GH-17818) https://github.com/python/cpython/commit/a9a43c221bf3896ed1d1c2eee2531b7121cf78e4

[vstinner]

Oops, I'm guilty of pushing this change! Sorry & thanks for the fix.

    if (_Py_dll_path == NULL) {
        /* Already set: nothing to do */
        return _PyStatus_OK();
    }

[7e52fd51-f543-40ba-81e4-59e14744df80]

Thank you Steve!

I'm still seeing python3.dll being loaded from \DLLs\python3.dll.

_Py_CheckPython3() uses Py_GetPrefix() as a prefix for \DLLs\python3.dll.

It looks like Py_SetPath() sets the _Py_path_config.prefix to "", but I'm not seeing anything else set it to a real value?

https://github.com/python/cpython/blob/7b79dc9200a19ecbac667111dffd58e314be02a8/Python/pathconfig.c#L508

[vstinner]

It looks like Py_SetPath() sets the _Py_path_config.prefix to "", but I'm not seeing anything else set it to a real value?

In the master branch, _Py_CheckPython3() doesn't use _Py_path_config.prefix.

_PyPathConfig_InitDLLPath() calls GetModuleFileNameW(PyWin_DLLhModule, dll_path, MAXPATHLEN) if PyWin_DLLhModule is initialized.

For example, _PyPathConfig_InitDLLPath() is called by Py_Initialize() and Py_SetPath().

PyWin_DLLhModule is initialized by DllMain().

The code in the 3.8 branch looks very similar (I backported my "Remove _PyPathConfig.dll_path" change to 3.8: commit 9f3dcf802eefeb5ab821ce3c7204ab46557d53d7).

[7e52fd51-f543-40ba-81e4-59e14744df80]

Hm, I'm seeing _Py_CheckPython3() use Py_GetPrefix(), which uses _Py_path_config.prefix?

https://github.com/python/cpython/blob/c02b41b1fb115c87693530ea6a480b2e15460424/PC/getpathp.c#L1185

[vstinner]

Hm, I'm seeing _Py_CheckPython3() use Py_GetPrefix(), which uses _Py_path_config.prefix?

Oh right, that's the initial issue:

Later the interpreter tries to load python3.dll and uses dllpath which is empty by default. This empty path gets joined with \python3.dll and \DLLs\python3.dll which is used in the LoadLibraryExW resulting in loading python3.dll from the root location of the windows drive the application is running from.

I reopen the issue.

[vstinner]

_Py_CheckPython3() tries to load "python3.dll" from two directories:

• first one based on _Py_dll_path
• second one based on Py_GetPrefix()

I understand that LoadLibraryExW() must not be attempted if _Py_dll_path is empty, or if Py_GetPrefix() is empty. Am I right?

[vstinner]

I understand that Python 3.5, 3.6 and 3.7 are also affected. It's not a regression.

On Python 3.5, 3.6 and 3.7, when Py_SetPath(path) is called, Py_GetPrefix() also returns an empty path. So at least the directory based on Py_GetPrefix() should also be skipped on Python 3.5-3.7 if Py_GetPrefix() is empty, right?

[zooba]

I understand that LoadLibraryExW() must not be attempted if _Py_dll_path is empty, or if Py_GetPrefix() is empty. Am I right?

More likely those should never be empty. Perhaps sys.prefix is optional, but the DLL path is the current executing module, and should always be set.

I suspect you're right, that 3.7 is also affected. But earlier versions would only _not_ fill the DLL path for static (non-shared) builds.

It looks like Py_SetPath in 3.7 started clearing it unnecessarily, so that may be the cause.

[zooba]

Sorry, I take that back. Earlier versions would indeed skip initialization in some cases.

I propose we deprecate the dll_path field in PathConfig and just get the path directly in the three places it's necessary. The path calculations have security exposure, so let's just avoid trying to manage additional state around it unnecessarily.

I'll work on a patch this week unless someone else gets to it first.

[zooba]

Bumping to release blocker and adding RMs. Should definitely get this fix merged within the next week, and I don't want the next round of releases to go out without it.

[zooba]

New changeset dcbaa1b49cd9062fb9ba2b9d49555ac6cd8c60b5 by Steve Dower in branch 'master': bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21297) https://github.com/python/cpython/commit/dcbaa1b49cd9062fb9ba2b9d49555ac6cd8c60b5

[miss-islington]

New changeset 4981fe36c7477303de830e8dca929a02caaaffe4 by Miss Islington (bot) in branch '3.9': bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21297) https://github.com/python/cpython/commit/4981fe36c7477303de830e8dca929a02caaaffe4

[ambv]

New changeset aa7f7756149a10c64d01f583b71e91814db886ab by Miss Islington (bot) in branch '3.8': bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21297) (GH-21352) https://github.com/python/cpython/commit/aa7f7756149a10c64d01f583b71e91814db886ab

[ned-deily]

New changeset 110dd153662a13b8ae1bb06348e5b1f118ab26d7 by Steve Dower in branch '3.7': [3.7] bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21297) (bpo-21298) https://github.com/python/cpython/commit/110dd153662a13b8ae1bb06348e5b1f118ab26d7

[ned-deily]

New changeset 46cbf6148a46883110883488d3e9febbe46ba861 by Steve Dower in branch '3.6': [3.6] bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21298) (bpo-21354) https://github.com/python/cpython/commit/46cbf6148a46883110883488d3e9febbe46ba861

[zooba]

Fixes are in. Also adding the CVE number to the bug title.

[zooba]

Announcement post: https://mail.python.org/archives/list/security-announce@python.org/thread/C5RIXC2ZIML3NOEIOGFPA6ISGU5L2QXL/

CVE-2020-15523 is an invalid search path in Python 3.6 and later on Windows. It occurs during Py_Initialize() when the runtime attempts to pre-load python3.dll. If Py_SetPath() has been called, the expected location is not set, and locations elsewhere on the user's system will be searched.

This issue is not triggered when running python.exe. It only applies when CPython has been embedded in another application.

Issue: https://bugs.python.org/issue29778 Patch: https://github.com/python/cpython/pull/21297

The next patched releases will be: 3.9.0b5, 3.8.4, 3.7.9 (source only), 3.6.12 (source only)

Other than applying the patch, applications may mitigate the vulnerability by explicitly calling LoadLibrary() on their copy of python3.dll before calling Py_Initialize(). Even with the patch applied, applications should include a copy of python3.dll alongside their main Python DLL.

Thanks to Eric Gantumur for detecting and reporting the issue to the Python Security Response Team.

[vstinner]

FYI this vulnerability is now tracked by: https://python-security.readthedocs.io/vuln/pysetpath-python-dll-path.html

[vstinner]

Steve: Python 3.5 is also vulnerable, no? This branch still gets security fixes, do you plan to backport the fix? I can do it if you are not available.

[zooba]

Python 3.5 is also vulnerable, no? This branch still gets security fixes, do you plan to backport the fix?

You're right. I thought because the backport tag was gone on GitHub that it was EOL already.

I can do the backport.

[vstinner]

New changeset 8f42748ded5e978fe8a924115179d45a74a6363b by Victor Stinner in branch 'master': bpo-29778: test_embed tests the path configuration (GH-21306) https://github.com/python/cpython/commit/8f42748ded5e978fe8a924115179d45a74a6363b

[zooba]

Correction: the original discovery credit goes to Eran Shimony \Eran.Shimony@cyberark.com\ and Ido Hoorvitch \Ido.Hoorvitch@cyberark.com\ from CyberArk.

[zooba]

FYI, bpo-41304 fixed a regression in this patch in 3.7 and later. The regression shipped in 3.8.4 and 3.9.0b4, but will be fixed in the subsequent releases.

[larryhastings]

I must have taken my stupid pills today. Why is this considered a "security" "release blocker"? If you can put files in the root of the hard drive where Windows was installed, surely you have other, easier attack vectors.

[eryksun]

If you can put files in the root of the hard drive where Windows was installed, surely you have other, easier attack vectors.

A rooted path is resolved relative to the process working directory, and Python can be started with any current working directory.

The default access control set on the root directory of a filesystem allows any authenticated user to create files or directories, such as "D:\python3.dll". That's if a filesystem even supports security. Removable drives are often formatted as FAT32 or exFAT, and FAT filesystems have no security.

The system drive (almost always "C:") has to be an NTFS filesystem, and its root directory is locked down a bit more. It's at high integrity level with a no-write-up rule for files, but not for directories. Only a logon at elevated integrity level (high or system level) can create "C:\python3.dll". OTOH, any authenticated user is still allowed to create a directory, such as "C:\DLLs", and is granted the right to create files in it such as "C:\DLLs\python3.dll".

[larryhastings]

I still don't understand why this is considered a Python security problem. If the user can put a malicious "python3.dll" at some arbitrary spot in the filesystem (e.g. a USB flash drive), and fool Python.exe into loading it, then surely they could put an arbitrary executable at that same spot and launch it directly. And that seems way more straightforward. Why would anyone bother with this?

[eryksun]

I still don't understand why this is considered a Python security problem. If the user can put a malicious "python3.dll" at some arbitrary spot in the filesystem (e.g. a USB flash drive), and fool Python.exe into loading it, then surely they could put an arbitrary executable at that same spot and launch it directly.

What would be the point of adding an arbitrary executable in "C:\spam" or "D:\"? It's not in the system PATH, "App Paths", or any file-association template command. But if you can inject code into vulnerable processes that embed Python by simply creating "C:\DLLs\python3.dll", that seems like low-hanging fruit to me. Just wait for it to be run with administrator access, and then you can own the entire system.

[larryhastings]

New changeset f205f1000a2d7f8b044caf281041b3705f293480 by Steve Dower in branch '3.5': [3.5] bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded (GH-21297) (bpo-21377) https://github.com/python/cpython/commit/f205f1000a2d7f8b044caf281041b3705f293480