muwire icon indicating copy to clipboard operation
muwire copied to clipboard

Published 20 hours ago verified publisher icon zlatinb

Virtual home directory structure involuntarily shared

Open Yanestra opened this issue 4 years ago • 4 comments

This is a security issue. I have not checked if I can reproduce because I considered the security impact a fundamental risk.

I have used muwire under a Linux system. An emulated Windows environment (Wine 4) was present but set up in a way that it should not be commonly usable if WINEPREFIX is not properly set in advance.

After sharing some less sensitive directories with muwire for two weeks or so I found that somebody tried to download some photos from my muwire host. I wondered where these photos came from and found that the Wine virtual home directory was now included in the list of shared directories. This specific directory is only used for Wine and downloading files from it meant no actual harm.

But to me, it was an alarm bell and I immediately shut muwire down.

Can you please check how a complete user home directory structure can be involuntarily included in the sharing? It shouldn't make much sense under usual system setups, while being a major security risk at the same time.

Yanestra avatar Mar 06 '20 04:03 Yanestra

I'm not familiar with the wine virtual environment and may need your help to reproduce this issue.

When MW shares a folder, it registers with a filesystem watch service to be notified for updates to this folder, such as entries being removed or added. Also, it shares folders recursively, so if a symlink to another folder is dropped inside a shared folder, the symlink will be resolved and the new folder shared as well. Could something like that have happened in your case?

zlatinb avatar Mar 06 '20 09:03 zlatinb

Also, can you launch MuWire, then go in Tools->Advanced Sharing and see what is listed under the "watched directories" tab?

zlatinb avatar Mar 06 '20 09:03 zlatinb

It is listed as being shared. My question would be: How did that directory get on the list?

On my system, it is not that easy to find, you know?

Wine is the only hypothetic connection which comes to my mind because Wine usually occupies several MIME entries for itself so that the standard file handler for some files gets Wine. For whatever reason. If you invoke an RTF file for instance, you get a Wine simulation of a cheap Wordpad imitation. If you'd ask it what its home directory is, it would reply something like that directory.

If I hadn't badly misclicked, I'd think of some abuse basing on Windows mechanics.

Yanestra avatar Mar 06 '20 19:03 Yanestra

There has got to be some kind of symlink that links from inside a directory you shared to the home directory then.

I suggest you unshare everything that is shared by MW, then share the directories you had originally shared one by one until you find the one that has the symlink.

To unshare safely, make sure MW is shut down, then delete the $HOME/.MuWire/files directory (or if running 0.6.8 or older, delete the $HOME/.MuWire/files.json file). Edit $HOME/.MuWire/MuWire.properties file and delete the line that starts with watchedDirectories=. Then start MW, it should have no files shared. Drag the directories you want to share on top of the MW gui one by one. After each drag, wait until it has finished hashing and check in Tools->Advanced Sharing if the home directory has appeared. When it does, check the filesystem to see if a link to the home directory exists in the last directory you dragged onto MW.

zlatinb avatar Mar 07 '20 09:03 zlatinb