CVE-2019-16784 in PyInstaller
Summary
by MITRE
In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/21/2024
This vulnerability exists within PyInstaller version 3.5 and earlier on Windows systems, representing a significant local privilege escalation flaw that leverages the software's handling of temporary files during execution. The vulnerability specifically manifests when PyInstaller applications packaged in "onefile" mode are executed by privileged users whose temporary path resolves to a world-writable directory. This scenario commonly occurs when applications are launched as services or scheduled tasks using system accounts, where the temporary path defaults to C:\Windows\Temp, a directory typically accessible for writing by all users on the system. The technical implementation relies on the fact that PyInstaller extracts its bundled contents to a temporary directory during execution, and when this directory is writable by unprivileged users, malicious actors can manipulate the extraction process to inject malicious code.
The operational impact of this vulnerability is particularly severe in enterprise environments where services and scheduled tasks are commonly configured to run with elevated privileges. The exploitation requires an attacker to have the ability to modify files in the world-writable temporary directory, which is accessible to any user on the system. The vulnerability becomes exploitable only after the target application is restarted, meaning that attackers must wait for a service restart or application reinitialization event to occur. This timing requirement provides some operational constraints but also makes the vulnerability more predictable and easier to plan for in targeted attacks. The vulnerability aligns with CWE-276, which describes improper file permissions, and represents a classic case of insecure temporary file handling where the system does not properly validate or secure temporary directories used by privileged applications.
From an attack perspective, this vulnerability operates under the ATT&CK framework's privilege escalation tactics, specifically targeting the 'Exploitation for Privilege Escalation' technique. The attack vector involves the manipulation of temporary files that are created during application execution, making it a post-exploitation technique that requires the initial compromise to establish a foothold. The requirement for a service restart or application reinitialization creates a window of opportunity that attackers must carefully time, as it typically involves waiting for system events such as crashes, updates, or manual restarts. The vulnerability demonstrates the importance of secure temporary file handling in privileged applications and highlights the risks associated with applications that do not properly isolate their temporary execution environments from user-accessible locations. Organizations should consider implementing additional security controls such as restricting write permissions to system temporary directories, monitoring for unauthorized modifications to temporary files, and ensuring that privileged applications are configured to use secure temporary directories that are not accessible to unprivileged users. The vulnerability also underscores the necessity of keeping software packages updated, as the issue was resolved in PyInstaller version 3.6 through improved temporary file handling mechanisms that prevent the creation of executable files in world-writable directories.