GpgEx: Incorrect spawn of UI Server can cause a c:\Program.exe to be executed
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	aheinecke
	Jan 28 2021, 8:45 AM

Description

This is a tricky issue with CreateProcess when the quoting is not done correctly it will use some heuristics to figure out which part of the argument is the program name.

You can reproduce it by placing a file as c:\program.exe (which requires administrative privileges on default windows systems). Than that will be executed.

I don't think this is a security issue as an execution prevention policy that blocks CreateProcess of unsigned files etc. will block this and even on "unhardened" systems creating c:\program.exe requires higher privileges then just to execute such a process. Still when gpg4win is installed in a non standard path or on a shared drive this could be problematic.

It is definitely a bug regardless of the impact.

Details

Version: 1.0.7

Revisions and Commits

rX GpgEX
	rXdf289bb41652 Fix CreateProcess call of GpgEX

Related Objects
Search...

		Status	Assigned	Task
		Resolved	aheinecke	T5272 GpgEx: Incorrect spawn of UI Server can cause a c:\Program.exe to be executed
		Resolved	aheinecke	T5273 Release Gpg4win 4.x.x

Event Timeline

aheinecke created this task.Jan 28 2021, 8:45 AM

aheinecke added a subtask: T5273: Release Gpg4win 4.x.x.Jan 28 2021, 10:39 AM

aheinecke added a commit: rXdf289bb41652: Fix CreateProcess call of GpgEX.Jan 28 2021, 10:41 AM

aheinecke closed this task as Resolved.Apr 21 2022, 9:57 AM

aheinecke closed subtask T5273: Release Gpg4win 4.x.x as Resolved.May 9 2022, 9:29 AM

GpgEx: Incorrect spawn of UI Server can cause a c:\Program.exe to be executedClosed, ResolvedPublicActions