23 Mar
2016
23 Mar
'16
3:57 p.m.
Hi,
I find that DIR_unmount_device in wine/dlls/ntdll/directory.c (latest git) is looking like an unsafe use of system().
If a device was mounted to a point such as ";ls" I think it would be passed to system and cause a command injection.
I didn't open a bug because I wasn't able to really test it due to my lack of knowledge of wine and because I can't think of a real world attack based on this as it needs to mount a device first but I think it's worth at least a thorough check.
Cédric Picard