NVDA Dev & Test Toolbox Log Reader Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in the NVDA Dev & Test Toolbox add-on, specifically within the Log Reader feature. This issue affects versions 2.0 through 8.0. The vulnerability arises because the log reading commands process speech log entries in an unsafe manner, allowing Python expressions embedded in the log to be evaluated. An attacker can exploit this by persuading a user to open a malicious log file and analyze it with the log reading commands. When the log is read, the injected code can execute with the user's privileges, potentially compromising the user's system. This vulnerability does not require elevated privileges and relies solely on user interaction.

Impact

Exploitation of this vulnerability allows for arbitrary code execution in the context of the current user, with a high severity rating. This could lead to a compromise of the user's system, particularly in developer or testing environments where logs are commonly shared.

Reproduction

To reproduce this vulnerability, open a maliciously crafted log file using the NVDA Dev & Test Toolbox Log Reader feature in a version prior to 9.0. The log file can contain embedded Python expressions, such as commands to be executed on the system. Once the log file is opened and analyzed with log reading commands, the embedded code will be executed with the current user's privileges.

Remediation

Users can update to NVDA Dev & Test Toolbox version 9.0, which addresses this vulnerability. The updated version can be downloaded from the NVDA Dev & Test Toolbox GitHub Releases page.