[SECURITY ALERT] Kleopatra allows local users to execute arbitrary code

Andre Heinecke aheinecke at gnupg.org
Thu Jan 28 07:49:50 GMT 2021


Hi,

Thanks for the report.

On Thursday 28 January 2021 05:59:01 CET Hoàng Cường wrote:
> I discovered security vulnerabilities in Kleopatra , tested on Kleopatra
> Version 3.1.8-gpg4win-3.1.10.latest update.
> 
> #sumary:
> - Unquoted program path in Kleopatra allows local users to execute
> arbitrary code, via execution and from a compromised folder.

Not really a Kleopatra issue but GpgEX (just for the record as kde at kde.org is 
in CC).

> #Description
> - Kleopatra allows local users to execute arbitrary code. if file
> C:\program.exe exists, it will be executed.

Ok, its a bug but I don't think this is really a security isse as an execution 
prevention that blocks unknown binaries from beeing executed is not bypassed 
and on default windows the creation of a file in c:\ requires administrative 
privileges. But I see that it can be an issue with non default installation 
paths.

I can reproduce it with the latest version and I have seen similar issues with 
create process in the past. The issue for this is now https://dev.gnupg.org/
T5272 and I'll fix it before the next release.


Best Regards,
Andre

-- 
GnuPG.com - a brand of g10 Code, the GnuPG experts.

g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
GF Werner Koch, USt-Id DE215605608, www.g10code.com.

GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf.  VR 11482 Düsseldorf
Vorstand: W.Koch, B.Reiter, A.Heinecke        Mail: board at gnupg.org
Finanzamt D-Altstadt, St-Nr: 103/5923/1779.   Tel: +49-211-28010702




More information about the kde mailing list