CVE-2019-16784 : Exploit Details and Defense Strategies

In PyInstaller versions prior to 3.6, a vulnerability exists on Windows that allows for local privilege escalation under specific conditions. This CVE was discovered and reported by Farid AYOUJIL, David HA, Florent LE NIGER, and Yann GASCUEL from Alter Solutions.

Understanding CVE-2019-16784

What is CVE-2019-16784?

PyInstaller, before version 3.6, on Windows, has a local privilege escalation vulnerability. It occurs when a software using PyInstaller in "onefile" mode is launched by a privileged user with a "TempPath" pointing to a directory allowing writing by all users.

The Impact of CVE-2019-16784

This vulnerability has a CVSS base score of 7 (High severity) with high impacts on confidentiality, integrity, and availability. The attack complexity is high, and user interaction is not required.

Technical Details of CVE-2019-16784

Vulnerability Description

The vulnerability allows local privilege escalation when a software using PyInstaller in "onefile" mode is executed by a privileged user with specific configurations.

Affected Systems and Versions

Platforms: Windows
Product: PyInstaller
Versions Affected: < 3.6

Exploitation Mechanism

To exploit this vulnerability, the attacker needs to launch the exploit program, and the software must be restarted or relaunched, making it relevant for services initialized at startup.

Mitigation and Prevention

Immediate Steps to Take

Update PyInstaller to version 3.6 or higher to mitigate the vulnerability.
Avoid running software with PyInstaller in "onefile" mode under privileged user accounts.

Long-Term Security Practices

Regularly review and restrict directory permissions to prevent unauthorized write access.
Implement the principle of least privilege to limit user capabilities.

Patching and Updates

Apply security patches and updates provided by PyInstaller to address known vulnerabilities.