CVE-2019-16784

Local Privilege Escalation present only on the Windows version of PyInstaller

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In PyInstaller before version 3.6, only on Windows, a local privilege escalation vulnerability is present in this particular case: If a software using PyInstaller in "onefile" mode is launched by a privileged user (at least more than the current one) which have his "TempPath" resolving to a world writable directory. This is the case for example if the software is launched as a service or as a scheduled task using a system account (TempPath will be C:\Windows\Temp). In order to be exploitable the software has to be (re)started after the attacker launch the exploit program, so for a service launched at startup, a service restart is needed (e.g. after a crash or an upgrade).

En PyInstaller versiones anteriores a 3.6, solo sobre Windows, se presenta una vulnerabilidad de escalada de privilegios local en este caso particular: si un software que usa PyInstaller en modo "onefile" es activado por un usuario privilegiado (al menos más que el actual) que tiene su "TempPath" resolviendo en un directorio de tipo world writable. Este es el caso, por ejemplo, si el software es iniciado como un servicio o como una tarea programada utilizando una cuenta system (TempPath será C:\Windows\Temp). A fin de ser explotable, el software tiene que ser reiniciado después de que el atacante active el programa de explotación, por lo que para un servicio activado en el inicio, es necesario reiniciar el servicio (por ejemplo, después de un bloqueo o una actualización).

*Credits: This vulnerability was discovered and reported by Farid AYOUJIL (@faridtsl), David HA, Florent LE NIGER and Yann GASCUEL (@lnv42) from Alter Solutions (@AlterSolutions) and fixed in collaboration with Hartmut Goebel (@htgoebel).

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-09-24 CVE Reserved
2020-01-14 CVE Published
2023-03-08 EPSS Updated
2023-12-19 First Exploit
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-250: Execution with Unnecessary Privileges
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC
https://github.com/Ckrielle/CVE-2019-16784-POC	2023-12-24
https://github.com/AlterSolutions/PyInstallerPrivEsc	2023-12-19

URL	Date	SRC
https://github.com/pyinstaller/pyinstaller/security/advisories/GHSA-7fcj-pq9j-wh2r	2020-10-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pyinstaller Search vendor "Pyinstaller"	Pyinstaller Search vendor "Pyinstaller" for product "Pyinstaller"	< 3.6 Search vendor "Pyinstaller" for product "Pyinstaller" and version " < 3.6"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe