Full Disclosure mailing list archives

Re: Google Chrome pkcs11.txt File Planting

From: Mitja Kolsek <mitja.kolsek () acrossecurity com>
Date: Sat, 22 Oct 2011 00:28:22 +0200

Hi Chris,

You're right: File browse dialogs change the CWD and this contributes essentially to the exploitability of the bug in 
question. While it's possible to prevent these dialogs from *keeping* the CWD where the user OK'ed a selected 
file/folder (see http://www.binaryplanting.com/guidelinesDevelopers.htm, bullet #7), it may be impossible to prevent 
them from changing it temporarily to the locations the user is opening - which is all this bug needs. Disclaimer: we 
haven't looked into this for over a year, so things may have changed since.

CWD is process-wide and could potentially cause a mess in multithreaded apps. Fortunately not many apps actively use it 
or depend on it. Unfortunately every app has it and many can obviously be attacked through it. We believe CWD should be 
eliminated from Windows entirely and applications actively depending on it recoded. Because of the latter, the former 
will probably not happen.

We haven't researched Linux or Mac regarding their CWD-related behavior, nor did we test this particular bug on 
non-Windows systems.

Cheers,
Mitja

Interesting. Clear write-up.
I'm not a Windows guy but the article led me to research this:

http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=windows+file+dialog+changes+cwd

Isn't that the most significant contributor? An application carefully
puts its CWD somewhere sane and then the underlying operating system
flips it around later? Might that also cause non-determinism for
multi-threaded apps? Does the problem affect Mac, Linux users?


Cheers
Chris


or

http://bit.ly/olK1P9

Enjoy the reading!


Mitja Kolsek
CEO&CTO

ACROS, d.o.o.
Makedonska ulica 113
SI - 2000 Maribor, Slovenia
tel: +386 2 3000 280
fax: +386 2 3000 282
web: http://www.acrossecurity.com
blg: http://blog.acrossecurity.com

ACROS Security: Finding Your Digital Vulnerabilities Before Others Do


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Google Chrome pkcs11.txt File Planting ACROS Security Lists (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Thor (Hammer of God) (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Chris Evans (Oct 21)
  - Re: Google Chrome pkcs11.txt File Planting Mitja Kolsek (Oct 22)