Gnome implemented sandboxing for thumbnail parsers, but @ubuntu patches that out, because why not? https://bugs.launchpad.net/ubuntu/+source/bubblewrap/+bug/1709164 …
-
-
Would this "Permission denied" imply that perhaps there still is some sort of sandboxing going on? The platform here is Ubuntu 18.04 Desktop.pic.twitter.com/meg7u8nRrH
1 reply 0 retweets 3 likes -
Ahh, it looks like AppArmor was what protected Ubuntu in its default state. Disabling AppArmor results in successful code execution.pic.twitter.com/qCCYzOVKFZ
1 reply 1 retweet 13 likes -
hmm I didn't have to disable anything, I ran it from the live cd. does that differ significantly from the normal ubuntu desktop?
3 replies 0 retweets 0 likes -
I verified it works in default CentOS7, Just visiting a website then opening Downloads is enough. You can use my testcase if you like, http://lock.cmpxchg8b.com/ghostscript.html …pic.twitter.com/kyAe1EfqOx
2 replies 11 retweets 28 likes -
1) Why would anything appear in Downloads just by visiting a website? I am presented with a proper download prompt. 2) The page refreshes ~2 times a second, so I get a bunch of those. Annoying 3) MATE (gnome fork) appears safe, even when double-clicking on the file.
1 reply 0 retweets 0 likes -
Replying to @KirilsSolovjovs @hanno and
Chrome automatically downloads files to Downloads without prompting. You'll have to write your own testcase for whatever browser you're using.
2 replies 0 retweets 0 likes -
Replying to @taviso @KirilsSolovjovs and
It's perhaps worth noting that you don't have to manually open the downloads folder after the file downloads. Simply having the Downloads folder already open is enough. The fact that it isn't visible (minimized) doesn't matter.pic.twitter.com/WYW0FUZHwh
1 reply 0 retweets 3 likes
Or hell, use an iframe if you think that requiring a user to click something is too much of a barrier. It's a complete drive-by download.pic.twitter.com/6otGpoD39q
-
-
The vulnerability here is in gnome of course. But dangerous Chrome defaults is what’s actually enabling the drive-by download.
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.