CVE-2023-49797: PyInstaller Local Privilege Escalation Vulnerability

by ·

PyInstaller, a popular tool for packaging Python applications, has been harboring a vulnerability that could allow unprivileged attackers to escalate their privileges and gain control of your system. This vulnerability, identified as CVE-2023-49797 with a CVSS score of 8.8 (High), poses a significant threat to Windows users who run applications built with PyInstaller.

How does the attack work?

PyInstaller allows developers to bundle their Python applications with all their dependencies into a single, standalone package. This makes it easy for users to run the application without needing to install Python or any additional modules. However, this convenience comes at a security cost.

The vulnerability lies in how PyInstaller handles temporary files created by the application. Under certain conditions, an attacker could trick the application into deleting files that the attacker normally wouldn’t have access to. This could allow the attacker to gain access to sensitive data or even install malware on the system.

Who is affected?

You are potentially affected by this vulnerability if:

  • You run a Python application built with PyInstaller that uses matplotlib or win32com libraries.
  • You run the application with administrator privileges or with higher privileges than the attacker.
  • Your temporary directory is not locked down, meaning the TMP/TEMP environment variables point to an unprotected location.
  • Either
    • The application was built with Python 3.7.x or earlier, which lacks protection against Directory Junctions links.
    • The attacker can very carefully time replacing a temporary file with a symlink. This switch must occur exactly between shutil.rmtree()’s builtin symlink check and the deletion itself

What can you do to protect yourself?

The best way to protect yourself from the CVE-2023-49797 vulnerability is to update to PyInstaller version 5.13.1 or later. This version includes a patch that fixes the vulnerability.

Here are some additional steps you can take:

  • Be careful about running applications you don’t trust, especially with administrator privileges.
  • Make sure your temporary directory is locked down and only accessible to you.
  • Consider using a security product that can help to detect and block malicious activity.

Tags: