CVE-2012-5379 in ActivePython
Summary
by MITRE
** DISPUTED ** Untrusted search path vulnerability in the installation functionality in ActivePython 3.2.2.3, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Python27 or C:\Python27\Scripts directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the ActivePython installation.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/16/2025
The vulnerability described in CVE-2012-5379 represents a classic untrusted search path issue that exploits the way Windows handles dynamic link library (dll) loading through the system PATH environment variable. This particular flaw exists within ActivePython 3.2.2.3 installation functionality when the software is installed in the root C:\ directory. The vulnerability stems from the installation process not properly sanitizing the PATH variable, creating an environment where malicious actors can place Trojan horse dll files in directories that Windows will subsequently search during execution. The specific attack vector involves placing a malicious wlbsctrl.dll file in either C:\Python27 or C:\Python27\Scripts directories, which are commonly added to the PATH by administrators for various system operations.
The technical exploitation of this vulnerability relies on the Windows DLL loading mechanism, which searches directories in the PATH variable in a specific order. When ActivePython is installed in the C:\ directory and the installation process fails to properly manage the PATH environment variable, it can inadvertently include directories containing malicious dll files. This creates a privilege escalation scenario where local users can execute arbitrary code with elevated privileges through the system service that loads the malicious wlbsctrl.dll file. The vulnerability specifically targets the "IKE and AuthIP IPsec Keying Modules" system service, which is a critical Windows service responsible for network security protocols. This service is particularly susceptible because it operates with elevated privileges and loads dll files from the system PATH without proper validation of their authenticity.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential system compromise and data theft. Attackers can leverage this flaw to gain unauthorized access to systems running the affected ActivePython versions, potentially leading to complete system takeover. The vulnerability's exploitation is particularly concerning because it requires minimal user interaction beyond the initial installation, and the malicious dll file can remain undetected for extended periods. The affected operating systems include Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview, representing a significant portion of the enterprise environment at the time of discovery. The vulnerability aligns with CWE-427 Uncontrolled Search Path, which specifically addresses the issue of untrusted search paths that can lead to privilege escalation and arbitrary code execution.
Security practitioners should note that this vulnerability was ultimately disputed by the CVE organization because the unsafe PATH configuration requires a separate administrative action that is not part of the default ActivePython installation process. This distinction is crucial for risk assessment and remediation planning, as it indicates that the vulnerability is not automatically exploitable but rather requires specific conditions to be met. The disputed nature of this CVE highlights the importance of proper security configuration management and the need for administrators to understand the implications of PATH modifications. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and potentially to persistence mechanisms, as attackers can establish backdoors through the malicious dll files. Organizations should implement proper PATH management policies, regularly audit system PATH variables, and ensure that only trusted directories are included in the search path to prevent exploitation of this class of vulnerability. The incident underscores the critical importance of secure installation practices and proper environment variable handling in software deployment processes.