CVE-2019-16784: Local Privilege Escalation in PyInstaller
(updated )
Local Privilege Escalation in all Windows software frozen by PyInstaller in “onefile” mode.
The vulnerability is present only on Windows and in this particular case: If a software frozen by PyInstaller in “onefile” mode is launched by a (privileged) user who has his/her “TempPath” resolving to a world writable directory. This is the case e.g. if the software is launched as a service or as a scheduled task using a system account (in which case TempPath will default to C:\Windows\Temp).
In order to be exploitable the software has to be (re)started after the attacker has launched the exploit program. So for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).
While PyInstaller itself was not vulnerable, all Windows software frozen by PyInstaller in “onefile” mode is vulnerable.
CVSSv3 score 7.0 (High) CVSSv3 vector CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected
- all Windows software frozen by PyInstaller in “onefile” mode
No affected
- PyInstaller itself (except if frozen by PyInstaller in “onefile” mode on Windows)
- software frozen in “onedir” mode
- other platforms (GNU/Linux, OS X, BSD, etc.)
References
- github.com/advisories/GHSA-7fcj-pq9j-wh2r
- github.com/pyinstaller/pyinstaller
- github.com/pyinstaller/pyinstaller/commit/42a67148b3bdf9211fda8499fdc5b63acdd7e6cc
- github.com/pyinstaller/pyinstaller/commit/be948cf0954707671aa499da17b10c86b6fa5e5c
- github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7fcj-pq9j-wh2r
- github.com/pypa/advisory-database/tree/main/vulns/pyinstaller/PYSEC-2020-175.yaml
- nvd.nist.gov/vuln/detail/CVE-2019-16784
Detect and mitigate CVE-2019-16784 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →