Full Disclosure mailing list archives
Re: Google Chrome pkcs11.txt File Planting
From: Mitja Kolsek <mitja.kolsek () acrossecurity com>
Date: Sat, 22 Oct 2011 00:28:22 +0200
Hi Chris, You're right: File browse dialogs change the CWD and this contributes essentially to the exploitability of the bug in question. While it's possible to prevent these dialogs from *keeping* the CWD where the user OK'ed a selected file/folder (see http://www.binaryplanting.com/guidelinesDevelopers.htm, bullet #7), it may be impossible to prevent them from changing it temporarily to the locations the user is opening - which is all this bug needs. Disclaimer: we haven't looked into this for over a year, so things may have changed since. CWD is process-wide and could potentially cause a mess in multithreaded apps. Fortunately not many apps actively use it or depend on it. Unfortunately every app has it and many can obviously be attacked through it. We believe CWD should be eliminated from Windows entirely and applications actively depending on it recoded. Because of the latter, the former will probably not happen. We haven't researched Linux or Mac regarding their CWD-related behavior, nor did we test this particular bug on non-Windows systems. Cheers, Mitja
Interesting. Clear write-up. I'm not a Windows guy but the article led me to research this: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=windows+file+dialog+changes+cwd Isn't that the most significant contributor? An application carefully puts its CWD somewhere sane and then the underlying operating system flips it around later? Might that also cause non-determinism for multi-threaded apps? Does the problem affect Mac, Linux users? Cheers Chrisor http://bit.ly/olK1P9 Enjoy the reading! Mitja Kolsek CEO&CTO ACROS, d.o.o. Makedonska ulica 113 SI - 2000 Maribor, Slovenia tel: +386 2 3000 280 fax: +386 2 3000 282 web: http://www.acrossecurity.com blg: http://blog.acrossecurity.com ACROS Security: Finding Your Digital Vulnerabilities Before Others Do _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Google Chrome pkcs11.txt File Planting ACROS Security Lists (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Thor (Hammer of God) (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Chris Evans (Oct 21)
- Re: Google Chrome pkcs11.txt File Planting Mitja Kolsek (Oct 22)