OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Midnight Commander
From: Michal Zalewski (lcamtufTPI.PL)
Date: Mon Nov 27 2000 - 18:15:51 CST


The Midnight Commander 4.5.51 (latest).

$ od -t x1 mcbug
0000000 03 14 77 04 0a
$ mkdir `cat mcbug`
$ mc

(try to view this directory - 'w' - 0x77 command will be executed; longer
commands might be used, as well)

Obviously, this attack requires privledged user interaction. Midnight
Commander won't display full name of the directory if it's long enough, so
these control characters can be easily hidden.

Such problems in Midnight Commander seems to appear less or more
frequently. I am affraid this pretty useful file manager should not be
used in multiuser systems, especially by root (I can recall numerous
problems with this utility last years - code execution when viewing
specific file types, code execution via mc vfs support, etc etc) :(

Workaround: well, I am affraid only code audit might help :(

--
_______________________________________________________
Michal Zalewski [lcamtuftpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=