[SECURITY ALERT] Kleopatra allows local users to execute arbitrary code

[Hoàng Cường]

Hi Andre,

I think this is a security issue, the file execution is out of control.
This security issue has been recognized and fixed by many organizations.
Ref:
-
https://trioxsecurity.com/intel-audio-driver-unquoted-service-path-vulnerability/

- https://hackerone.com/reports/716448
- https://apps.support.sap.com/sap/support/knowledge/en/2180154
-
https://www.dell.com/support/kbdoc/en-vn/000149165/dell-wyse-management-suite-multiple-unquoted-service-path-vulnerabilities
- https://www.fortiguard.com/psirt/FG-IR-20-021

Thanks and Best regards,
#hoangcuongflp


Vào Th 5, 28 thg 1, 2021 vào lúc 14:49 Andre Heinecke <aheinecke at gnupg.org>
đã viết:

> Hi,
>
> Thanks for the report.
>
> On Thursday 28 January 2021 05:59:01 CET Hoàng Cường wrote:
> > I discovered security vulnerabilities in Kleopatra , tested on Kleopatra
> > Version 3.1.8-gpg4win-3.1.10.latest update.
> >
> > #sumary:
> > - Unquoted program path in Kleopatra allows local users to execute
> > arbitrary code, via execution and from a compromised folder.
>
> Not really a Kleopatra issue but GpgEX (just for the record as kde at kde.org
> is
> in CC).
>
> > #Description
> > - Kleopatra allows local users to execute arbitrary code. if file
> > C:\program.exe exists, it will be executed.
>
> Ok, its a bug but I don't think this is really a security isse as an
> execution
> prevention that blocks unknown binaries from beeing executed is not
> bypassed
> and on default windows the creation of a file in c:\ requires
> administrative
> privileges. But I see that it can be an issue with non default
> installation
> paths.
>
> I can reproduce it with the latest version and I have seen similar issues
> with
> create process in the past. The issue for this is now
> https://dev.gnupg.org/
> T5272 <https://dev.gnupg.org/T5272> and I'll fix it before the next
> release.
>
>
> Best Regards,
> Andre
>
> --
> GnuPG.com - a brand of g10 Code, the GnuPG experts.
>
> g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459
> GF Werner Koch, USt-Id DE215605608, www.g10code.com.
>
> GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf.  VR 11482 Düsseldorf
> Vorstand: W.Koch, B.Reiter, A.Heinecke        Mail: board at gnupg.org
> Finanzamt D-Altstadt, St-Nr: 103/5923/1779.   Tel: +49-211-28010702
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde/attachments/20210128/264a8e92/attachment.htm>