Hi Andre, I think this is a security issue, the file execution is out of control. This security issue has been recognized and fixed by many organizations. Ref: - https://trioxsecurity.com/intel-audio-driver-unquoted-service-path-vulnerability/
- https://hackerone.com/reports/716448 - https://apps.support.sap.com/sap/support/knowledge/en/2180154 - https://www.dell.com/support/kbdoc/en-vn/000149165/dell-wyse-management-suite-multiple-unquoted-service-path-vulnerabilities - https://www.fortiguard.com/psirt/FG-IR-20-021 Thanks and Best regards, #hoangcuongflp Vào Th 5, 28 thg 1, 2021 vào lúc 14:49 Andre Heinecke <aheine...@gnupg.org> đã viết: > Hi, > > Thanks for the report. > > On Thursday 28 January 2021 05:59:01 CET Hoàng Cường wrote: > > I discovered security vulnerabilities in Kleopatra , tested on Kleopatra > > Version 3.1.8-gpg4win-3.1.10.latest update. > > > > #sumary: > > - Unquoted program path in Kleopatra allows local users to execute > > arbitrary code, via execution and from a compromised folder. > > Not really a Kleopatra issue but GpgEX (just for the record as k...@kde.org > is > in CC). > > > #Description > > - Kleopatra allows local users to execute arbitrary code. if file > > C:\program.exe exists, it will be executed. > > Ok, its a bug but I don't think this is really a security isse as an > execution > prevention that blocks unknown binaries from beeing executed is not > bypassed > and on default windows the creation of a file in c:\ requires > administrative > privileges. But I see that it can be an issue with non default > installation > paths. > > I can reproduce it with the latest version and I have seen similar issues > with > create process in the past. The issue for this is now > https://dev.gnupg.org/ > T5272 <https://dev.gnupg.org/T5272> and I'll fix it before the next > release. > > > Best Regards, > Andre > > -- > GnuPG.com - a brand of g10 Code, the GnuPG experts. > > g10 Code GmbH, Erkrath/Germany, AG Wuppertal HRB14459 > GF Werner Koch, USt-Id DE215605608, www.g10code.com. > > GnuPG e.V., Rochusstr. 44, D-40479 Düsseldorf. VR 11482 Düsseldorf > Vorstand: W.Koch, B.Reiter, A.Heinecke Mail: bo...@gnupg.org > Finanzamt D-Altstadt, St-Nr: 103/5923/1779. Tel: +49-211-28010702 > > >
