{"id":16649,"date":"2021-07-07T15:57:19","date_gmt":"2021-07-07T13:57:19","guid":{"rendered":"https:\/\/herolab-usd.formwandler.rocks\/security-advisories\/usd-2019-0068\/"},"modified":"2021-07-19T14:13:41","modified_gmt":"2021-07-19T12:13:41","slug":"usd-2019-0068","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2019-0068\/","title":{"rendered":"usd-2019-0068"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\"][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<h1 class=\"h-custom-headline usd-small-letters h2\"><span>usd-2019-0068 | Chocolatey Python 3 package \/ 3.8.1<\/span><\/h1>\n<p><span><\/span><br \/><strong>Advisory ID<\/strong><span>: usd-2019-0068<\/span><br \/><strong>CVE Number<\/strong><span>: Not requested<\/span><br \/><strong>Affected Product<\/strong><span>: Python 3 package for chocolatey<\/span><br \/><strong>Affected Version<\/strong><span>: 3.8.1<\/span><br \/><strong>Vulnerability Type<\/strong><span>: Weak File Permissions<\/span><br \/><strong>Security Risk<\/strong><span>: High<\/span><br \/><strong>Vendor URL<\/strong><span>: <a href=\"https:\/\/chocolatey.org\/packages\/python3\/\" target=\"_blank\" rel=\"noopener\">https:\/\/chocolatey.org\/packages\/python3\/<\/a><\/span><br \/><strong>Vendor Status<\/strong><span>: Fixed<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3>Introduction<\/h3>\n<p><span>The Chocolatey package manager installs the Python3 package with \u201emodify\u201c permissions for all users.<\/span><\/p>\n<p><span><\/span><\/p>\n<h3>Proof of Concept (PoC)<\/h3>\n<p><span>Run following commands as administrator:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2019-0068-1.jpg\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd-security-advisories-usd-2019-0068-1\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<p><span>Now switch to a low privileged cmd.exe process and check the permissions on the global Python folder:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2019-0068-2.jpg\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd-security-advisories-usd-2019-0068-2\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<p><span>As one can see, all authenticated Users have the modify (M) permission on the Python folder. This can be exploited<\/span><br \/><span>in several ways. Chocolatey adds the python folder also to the default Path for all user accounts. Therefore, dll hijacking<\/span><br \/><span>of privileged processes could be possible. The easiest attack is of course to replace the python executable (python.exe) with<\/span><br \/><span>another malicious file:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2019-0068-3.jpg\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd-security-advisories-usd-2019-0068-3\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<p>If another user account now runs python a reverse shell spawns at the attackers terminal:<\/p>\n<p>Victim:<\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2019-0068-4.jpg\" _builder_version=\"4.9.4\" _module_preset=\"default\" title_text=\"usd-security-advisories-usd-2019-0068-4\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"default\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<p><span>Attacker:<\/span><\/p>\n<p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/07\/usd-security-advisories-usd-2019-0068-5.jpg\" title_text=\"usd-security-advisories-usd-2019-0068-5\" _builder_version=\"4.9.4\" _module_preset=\"default\" custom_margin=\"27px||43px||false|false\" hover_enabled=\"0\" sticky_enabled=\"0\"][\/et_pb_image][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" sticky_enabled=\"0\"]<\/p>\n<div class=\"e16902-22 x-container max width\">\n<div class=\"e16902-23 x-column x-sm x-1-1\">\n<h3>Fix<\/h3>\n<p><span>The global Python folder should not be writable by low privileged user accounts.<\/span><\/p>\n<h3><\/h3>\n<h3>Timeline<\/h3>\n<ul>\n<li>2019-10-22 The vulnerability was found during a pentest on one of our customers<\/li>\n<li>2019-12-17 Report is sent to the maintainer of the package<\/li>\n<li>2020-01-10 Version 3.8.1.20200110 is released that fixes the issue<\/li>\n<li>2020-04-29 Security advisory released<\/li>\n<\/ul>\n<h3><\/h3>\n<h3>Credits<\/h3>\n<p><span>This security vulnerability was found by Tobias Neitzel of usd AG.<\/span><\/p>\n<\/div>\n<\/div>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>usd-2019-0068 | Chocolatey Python 3 package \/ 3.8.1 Advisory ID: usd-2019-0068CVE Number: Not requestedAffected Product: Python 3 package for chocolateyAffected Version: 3.8.1Vulnerability Type: Weak File PermissionsSecurity Risk: HighVendor URL: https:\/\/chocolatey.org\/packages\/python3\/Vendor Status: Fixed &nbsp; Introduction The Chocolatey package manager installs the Python3 package with \u201emodify\u201c permissions for all users. Proof of Concept (PoC) Run following commands [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-16649","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16649","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=16649"}],"version-history":[{"count":0,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16649\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=16649"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}