Multiple security vulnerabilities in NVDA

[nvaccessAuto]

Reported by tspivey on 2009-12-26 05:33
Here we go again (2009.1 on win7).

1. The log viewer allows the save-as command (On the log menu) to be run from secure desktops, allowing the by-now familiar running of cmd.exe.
2. The various items in the help menu allow the running of external programs which contain open/save dialogs, again allowing this same exploit.

Proof of concept:

1. Get to a secure desktop and open the log viewer. Go to log -> save As.
2. dismiss any location error dialogs that appear. (enter or escape).
3. Type %windir%\system32\c*.exe, press enter, pick cmd from the list, activate the context menu and run as administrator.

[nvaccessAuto]

Comment 1 by mdcurran on 2009-12-27 02:04
I'm wondering how far we should go with fixing this stuff. In regards to the log viewer: should we just disable saving, or should we disable the log viewer all together for secure copies of NVDA?
The reason I suggest disabling the log viewer all together is that it is very possible that sensitive information may be displayed, due to debugging etc.
So, it almost seems as though we need to simply remove tools and help from the NVDA menu if it is a secure copy.
Keeping preferences is probably safe enough, though in the long run I'd prefer that we have a way of duplicating one user's NVDA profile in to the system profile (requiring an administrative password of course) and then we'd disable saving of config in secure copies also, but that's for another ticket.

Perhaps for now, in secure copies we:

• Disable log viewer
• disable Python console (we already do this)
• Help menu: disable everything except for "about...".

Changes:
Milestone changed from None to 2010.1

[nvaccessAuto]

Comment 2 by mdcurran on 2009-12-27 02:15
Fixed in r3445. Log viewer is no longer shown in tools menu if secure, and all documentation (excluding welcome dialog and About) is no longer shown in Help menu (if secure).
Changes:
State: closed