PyInstaller Arbitrary Code Execution Vulnerability in Applications Built Prior to 6.0.0

A vulnerability in PyInstaller allows for arbitrary code execution in applications built with PyInstaller versions prior to 6.0.0. This issue arises because the bootstrap process appends a special entry to `sys.path`, which can be exploited by an unprivileged attacker to execute arbitrary Python code. The vulnerability is present in both onedir and onefile modes, but only if the optional bytecode encryption feature was not enabled during the application build. To exploit this vulnerability, the attacker must be able to create files or directories in the same location as the executable, use a non-Windows filesystem that allows `?` in file names, and determine the offset of the PYZ archive within the executable.

Impact

Exploitation of this vulnerability allows for arbitrary code execution. If the affected application is running with elevated privileges, the executed code also gains those privileges, leading to local privilege escalation.

Reproduction

To reproduce this vulnerability, first build a Python application using PyInstaller version prior to 6.0.0, ensuring that the optional bytecode encryption feature is disabled. Once the application is built, place it in a directory where the attacker can create files or directories. The filesystem must support names with `?`, indicating a non-Windows system. The attacker then needs to determine the offset of the PYZ archive in the executable. With this information, create a directory or a zip archive next to the executable, named to correspond with the PYZ archive's location. If this directory or archive contains a Python module matching the name used by the optional bytecode encryption feature, the module will be imported and executed by the application's bootstrap script, resulting in arbitrary code execution.

Remediation

Upgrade to PyInstaller version 6.10.0 or later, which addresses this vulnerability by removing the bytecode encryption feature and reworking the bootstrap process to prevent exploitation. If upgrading is not possible, ensure proper permissions are set on directories containing security-sensitive executables to mitigate the risk.