Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple security vulnerabilities in NVDA #515

nvaccessAuto opened this issue Jan 1, 2010 · 2 comments


None yet
1 participant
Copy link

commented Jan 1, 2010

Reported by tspivey on 2009-12-26 05:33
Here we go again (2009.1 on win7).

  1. The log viewer allows the save-as command (On the log menu) to be run from secure desktops, allowing the by-now familiar running of cmd.exe.
  2. The various items in the help menu allow the running of external programs which contain open/save dialogs, again allowing this same exploit.

Proof of concept:

  1. Get to a secure desktop and open the log viewer. Go to log -> save As.
  2. dismiss any location error dialogs that appear. (enter or escape).
  3. Type %windir%\system32\c*.exe, press enter, pick cmd from the list, activate the context menu and run as administrator.

This comment has been minimized.

Copy link

commented Jan 1, 2010

Comment 1 by mdcurran on 2009-12-27 02:04
I'm wondering how far we should go with fixing this stuff. In regards to the log viewer: should we just disable saving, or should we disable the log viewer all together for secure copies of NVDA?
The reason I suggest disabling the log viewer all together is that it is very possible that sensitive information may be displayed, due to debugging etc.
So, it almost seems as though we need to simply remove tools and help from the NVDA menu if it is a secure copy.
Keeping preferences is probably safe enough, though in the long run I'd prefer that we have a way of duplicating one user's NVDA profile in to the system profile (requiring an administrative password of course) and then we'd disable saving of config in secure copies also, but that's for another ticket.

Perhaps for now, in secure copies we:

  • Disable log viewer
  • disable Python console (we already do this)
  • Help menu: disable everything except for "about...".

Milestone changed from None to 2010.1


This comment has been minimized.

Copy link

commented Jan 1, 2010

Comment 2 by mdcurran on 2009-12-27 02:15
Fixed in r3445. Log viewer is no longer shown in tools menu if secure, and all documentation (excluding welcome dialog and About) is no longer shown in Help menu (if secure).
State: closed

@nvaccessAuto nvaccessAuto added this to the 2010.1 milestone Nov 10, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.