[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <F08480F1-5391-4A50-BF45-0EA7AEFF4D45@acrossecurity.com>
Date: Sat, 22 Oct 2011 00:28:22 +0200
From: Mitja Kolsek <mitja.kolsek@...ossecurity.com>
To: Chris Evans <scarybeasts@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
"security@...ossecurity.com" <security@...ossecurity.com>
Subject: Re: Google Chrome pkcs11.txt File Planting
Hi Chris,
You're right: File browse dialogs change the CWD and this contributes essentially to the exploitability of the bug in question. While it's possible to prevent these dialogs from *keeping* the CWD where the user OK'ed a selected file/folder (see http://www.binaryplanting.com/guidelinesDevelopers.htm, bullet #7), it may be impossible to prevent them from changing it temporarily to the locations the user is opening - which is all this bug needs. Disclaimer: we haven't looked into this for over a year, so things may have changed since.
CWD is process-wide and could potentially cause a mess in multithreaded apps. Fortunately not many apps actively use it or depend on it. Unfortunately every app has it and many can obviously be attacked through it. We believe CWD should be eliminated from Windows entirely and applications actively depending on it recoded. Because of the latter, the former will probably not happen.
We haven't researched Linux or Mac regarding their CWD-related behavior, nor did we test this particular bug on non-Windows systems.
Cheers,
Mitja
> Interesting. Clear write-up.
> I'm not a Windows guy but the article led me to research this:
>
> http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=windows+file+dialog+changes+cwd
>
> Isn't that the most significant contributor? An application carefully
> puts its CWD somewhere sane and then the underlying operating system
> flips it around later? Might that also cause non-determinism for
> multi-threaded apps? Does the problem affect Mac, Linux users?
>
>
> Cheers
> Chris
>
>>
>> or
>>
>> http://bit.ly/olK1P9
>>
>> Enjoy the reading!
>>
>>
>> Mitja Kolsek
>> CEO&CTO
>>
>> ACROS, d.o.o.
>> Makedonska ulica 113
>> SI - 2000 Maribor, Slovenia
>> tel: +386 2 3000 280
>> fax: +386 2 3000 282
>> web: http://www.acrossecurity.com
>> blg: http://blog.acrossecurity.com
>>
>> ACROS Security: Finding Your Digital Vulnerabilities Before Others Do
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists