oss-sec mailing list archives
xscreensaver: filename command injection in vidwhacker screensaver
From: Hanno Böck <hanno () hboeck de>
Date: Mon, 14 Jun 2021 12:12:56 +0200
The "vidwhacker" screensaver in xscreensaver does not properly escape filenames of input images, allowing command injection via filenames. The autor of xscreensaver considers this a non-issue. xscreensaver contains a screensaver called "vidwhacker" which uses image files as an input and passes them to various command line tools for decoding. A user can configure a directory with images. The filenames are passed to the command line tools without any escaping. This allows injecting commands, e.g. via subshells. PoC: * Create a dir with a file named '$(touch pwn).png' * Run xscreensaver-demo, configure the vidwhacker directory to above dir and run preview. * File "pwn" gets created. I believe this is a low risk security issue. A possible attack scenario would be e.g. someone providing an image collection to a victim which is large enough that an unusual filename wouldn't be noted. The author of xscreensaver disagrees and wrote me he considers this a non-issue. -- Hanno Böck https://hboeck.de/
Current thread:
- xscreensaver: filename command injection in vidwhacker screensaver Hanno Böck (Jun 14)