[EU-FOSSA] Fix a security issue: RCE via unsanitized command line in "Open containing folder"

Summary of the Issue:
A remote code execution (RCE) vulnerability was found when a user opens a crafted containing folder in the command line. Code execution is possible by injecting a & followed by system commands into the name of the folder.

Steps to reproduce:
Download the attached archive on Windows: unzip_me.zip (F404758)
Unzip it and navigate into it
Open the txt file inside with Notepad++
Go to File -> Open containing folder -> cmd

Impact statement:
Successful exploitation of this vulnerability would allow an attacker to remotely execute arbitrary commands on the victim's computer.
This commit is contained in:
Don HO 2019-01-14 20:20:19 +01:00
parent fd32585c14
commit 0f936707a2
2 changed files with 2 additions and 2 deletions

View File

@ -90,7 +90,7 @@ void Notepad_plus::command(int id)
case IDM_FILE_OPEN_CMD:
{
Command cmd(TEXT("cmd /K cd /d $(CURRENT_DIRECTORY)"));
Command cmd(TEXT("cmd /K cd /d \"$(CURRENT_DIRECTORY)\""));
cmd.run(_pPublicInterface->getHSelf());
}
break;

View File

@ -688,7 +688,7 @@ void FileBrowser::popupMenuCmd(int cmdID)
if (::PathFileExists(path.c_str()))
{
TCHAR cmdStr[1024];
wsprintf(cmdStr, TEXT("cmd /K cd /d %s"), path.c_str());
wsprintf(cmdStr, TEXT("cmd /K cd /d \"%s\""), path.c_str());
Command cmd(cmdStr);
cmd.run(nullptr);
}