:: Re: [DNG] VBScript Injection via GN…
Top Pagina
Delete this message
Reply to this message
Auteur: Adam Borowski
Datum:  
Aan: dng
Onderwerp: Re: [DNG] VBScript Injection via GNOME Thumbnailer
On Tue, Jul 18, 2017 at 12:39:45AM -0700, Rick Moen wrote:
> Quoting Joachim Fahrner (jf@???):
>
> > Another nice bug in Gnome:
> > http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html
>
> I feel almost dirty making excuses for GNOME ;-> , but this bug in
> /usr/bin/gnome-exe-thumbnailer appears to be exploitable only if WINE
> is installed and findable by that GNOME utility. The thumbnailer
> invokes WINE's cscript.exe, which appears to be a Windows Scripting Host
> command interpreter -- and thus run VBScript.


But _why_ would you say this is an excuse? Wine is an unrelated piece of
software, and it's not a bug in Wine. It's nice to have Wine installed,
it reduces your need to have a Windows partition/VM[1] to basically zero.
It's like saying that Perl is responsible if you feed it a program from
an untrusted source. Wine does one task: run programs in PE format for
win32/win64 ABI, and does it quite well.


[1]. For your own use, that is -- if you want to test programs for others
you'll obviously want VMs for multiple versions of Windows, just like you
have a Fedora VM and an OpenBSD VM.
--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ A dumb species has no way to open a tuna can.
⢿⡄⠘⠷⠚⠋⠀ A smart species invents a can opener.
⠈⠳⣄⠀⠀⠀⠀ A master species delegates.