SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Midnight Commander Vendors:   Gnome Development Team
Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007762
SecurityTracker URL:  http://securitytracker.com/id/1007762
CVE Reference:   CAN-2003-1023   (Links to External Site)
Updated:  Jan 6 2004
Original Entry Date:  Sep 19 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Confirmed on 4.5.52 - 4.6.0
Description:   A vulnerability was reported in Midnight Commander. A malicious compressed archive can cause the application to execute arbitrary code.

It is reported that 'vfs/direntry.c' uses an uninitialized buffer for processing symbolic links (symlinks) in compressed archives. The flaw reportedly resides in the vfs_s_resolve_symlink() function. A remote user can create a malicious file so that when a target user processes the file using Midnight Commander, arbitrary code contained in the file will be executed with the privileges of the target user.

A demonstration exploit is provided at:

http://buggzy.narod.ru/exp.tgz
Impact:   A remote user can create an archive that, when processed by a target user, will cause arbitrary code to be executed with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  gnome.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 17 2004 (Debian Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code   (Matt Zimmerman <mdz@debian.org>)
Debian has released a fix.
Jan 21 2004 (Red Hat Issues Fix for RH Linux) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Linux.
Jan 27 2004 (Mandrake Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Feb 3 2004 (Red Hat Issues Fix for RH Enterprise Linux) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1
Mar 29 2004 (Gentoo Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code   (Kurt Lieber <klieber@gentoo.org>)
Gentoo has issued a fix.
Mar 31 2004 (Conectiva Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code   (Conectiva Updates <secure@conectiva.com.br>)
Conectiva has released a fix.


 Source Message Contents
Date:  Fri, 19 Sep 2003 17:47:23 +0400
Subject:  uninitialized buffer in midnight commander


Midnight Commander is using uninitialized buffer for handling symlinks in VFS (tar, cpio). See vfs/direntry.c, handling of buf[] at
 vfs_s_resolve_symlink(). I wonder but it works almost properly ;-)

On linux-i386 I can reach stack buffer overflow using specially crafted archive. Open http://buggzy.narod.ru/exp.tgz in mc's VFS to
 test (mc will crash).

Affected systems/vendors/archs: at least linux-i386, mc-4.5.52 to mc-4.6.0, too lazy to test others ;-)

P.S. Greetings to iDEFENSE VCP. I'm tired and hungry ;)


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC