[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting

To: Chris Evans <scarybeasts@xxxxxxxxx>
Subject: Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting
From: Mitja Kolsek <mitja.kolsek@xxxxxxxxxxxxxxxxx>
Date: Sat, 22 Oct 2011 00:28:22 +0200

Hi Chris,

You're right: File browse dialogs change the CWD and this contributes 
essentially to the exploitability of the bug in question. While it's possible 
to prevent these dialogs from *keeping* the CWD where the user OK'ed a selected 
file/folder (see http://www.binaryplanting.com/guidelinesDevelopers.htm, bullet 
#7), it may be impossible to prevent them from changing it temporarily to the 
locations the user is opening - which is all this bug needs. Disclaimer: we 
haven't looked into this for over a year, so things may have changed since.

CWD is process-wide and could potentially cause a mess in multithreaded apps. 
Fortunately not many apps actively use it or depend on it. Unfortunately every 
app has it and many can obviously be attacked through it. We believe CWD should 
be eliminated from Windows entirely and applications actively depending on it 
recoded. Because of the latter, the former will probably not happen.

We haven't researched Linux or Mac regarding their CWD-related behavior, nor 
did we test this particular bug on non-Windows systems.

Cheers,
Mitja

> Interesting. Clear write-up.
> I'm not a Windows guy but the article led me to research this:
> 
> http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=windows+file+dialog+changes+cwd
> 
> Isn't that the most significant contributor? An application carefully
> puts its CWD somewhere sane and then the underlying operating system
> flips it around later? Might that also cause non-determinism for
> multi-threaded apps? Does the problem affect Mac, Linux users?
> 
> 
> Cheers
> Chris
> 
>> 
>> or
>> 
>> http://bit.ly/olK1P9
>> 
>> Enjoy the reading!
>> 
>> 
>> Mitja Kolsek
>> CEO&CTO
>> 
>> ACROS, d.o.o.
>> Makedonska ulica 113
>> SI - 2000 Maribor, Slovenia
>> tel: +386 2 3000 280
>> fax: +386 2 3000 282
>> web: http://www.acrossecurity.com
>> blg: http://blog.acrossecurity.com
>> 
>> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>> 
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Google Chrome pkcs11.txt File Planting
  - From: ACROS Security Lists
- Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting
  - From: Chris Evans

Prev by Date: Re: [Full-disclosure] Symlink vulnerabilities
Next by Date: Re: [Full-disclosure] Symlink vulnerabilities
Previous by thread: Re: [Full-disclosure] Google Chrome pkcs11.txt File Planting
Next by thread: [Full-disclosure] [ MDVSA-2011:157 ] freetype2
Index(es):
- Date
- Thread