[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Arbitrary Command Execution in Windows and Unix Shells.
- To: Jan Min???? <rdancer@xxxxxxxxxxx>
- Subject: [Full-disclosure] Arbitrary Command Execution in Windows and Unix Shells.
- From: Bob Beck <beck@xxxxxxxxxxx>
- Date: Fri, 22 Aug 2008 10:43:01 -0600
Stupidity + Copy and Paste Considered Harmful
>
> 4. EXPLOIT
>
> Copy-and-paste these examples into separate files:
>
> ;xclock
> vim: set iskeyword=;,@
>
> Place your cursor on ``xclock'', and press K. xclock appears.
>
> ;date>>pwned
> vim: set iskeyword=1-255
>
> Place your cursor on ``date'' and press K. File ``pwned'' is created in
> the current working directory.
>
> Please note: If modeline processing is disabled, set the 'iskeyword'
> option manually.
>
> See the thread on the Vim Developers' mailing list for some other
> examples[2].
>
(yes indeed, vim doesn't completely sanitize it's input)
EXPLOIT:
echo '1 b3 1ee7' >> pwned
Copy and paste the above line into a unix shell or windows cmd window. File
pwned is
created. Note, if the windowing system is not started, type the above command in
manually.
IMPACT:
I can create this file and mail it to ANYONE! ZOMG! Someone get me
Kaminsky's slide templates so I can get the PR machine going for this
discovery.
And I thought XSS stuff was lame. Sheesh.
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/