SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Midnight Commander Vendors:   Gnome Development Team
Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007762
SecurityTracker URL:  http://securitytracker.com/id/1007762
CVE Reference:   CVE-2003-1023   (Links to External Site)
Updated:  Jan 6 2004
Original Entry Date:  Sep 19 2003
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Confirmed on 4.5.52 - 4.6.0
Description:   A vulnerability was reported in Midnight Commander. A malicious compressed archive can cause the application to execute arbitrary code.

It is reported that 'vfs/direntry.c' uses an uninitialized buffer for processing symbolic links (symlinks) in compressed archives. The flaw reportedly resides in the vfs_s_resolve_symlink() function. A remote user can create a malicious file so that when a target user processes the file using Midnight Commander, arbitrary code contained in the file will be executed with the privileges of the target user.

A demonstration exploit is provided at:

http://buggzy.narod.ru/exp.tgz

Impact:   A remote user can create an archive that, when processed by a target user, will cause arbitrary code to be executed with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  gnome.org/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 17 2004 (Debian Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
Debian has released a fix.
Jan 21 2004 (Red Hat Issues Fix for RH Linux) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Linux.
Jan 27 2004 (Mandrake Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
Mandrake has released a fix.
Feb 3 2004 (Red Hat Issues Fix for RH Enterprise Linux) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
Red Hat has released a fix for Red Hat Enterprise Linux 2.1
Mar 29 2004 (Gentoo Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
Gentoo has issued a fix.
Mar 31 2004 (Conectiva Issues Fix) Midnight Commander Uninitialized Buffer May Let Remote Users Execute Arbitrary Code
Conectiva has released a fix.



 Source Message Contents

Subject:  uninitialized buffer in midnight commander


Midnight Commander is using uninitialized buffer for handling symlinks in VFS (tar, cpio). See vfs/direntry.c, handling of buf[] at
 vfs_s_resolve_symlink(). I wonder but it works almost properly ;-)

On linux-i386 I can reach stack buffer overflow using specially crafted archive. Open http://buggzy.narod.ru/exp.tgz in mc's VFS to
 test (mc will crash).

Affected systems/vendors/archs: at least linux-i386, mc-4.5.52 to mc-4.6.0, too lazy to test others ;-)

P.S. Greetings to iDEFENSE VCP. I'm tired and hungry ;)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC