| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Aug 2008 10:43:01 -0600
From: Bob Beck <beck@...berta.ca>
To: Jan Min???? <rdancer@...ncer.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Arbitrary Command Execution in Windows and Unix
Shells.
Stupidity + Copy and Paste Considered Harmful
>
> 4. EXPLOIT
>
> Copy-and-paste these examples into separate files:
>
> ;xclock
> vim: set iskeyword=;,@
>
> Place your cursor on ``xclock'', and press K. xclock appears.
>
> ;date>>pwned
> vim: set iskeyword=1-255
>
> Place your cursor on ``date'' and press K. File ``pwned'' is created in
> the current working directory.
>
> Please note: If modeline processing is disabled, set the 'iskeyword'
> option manually.
>
> See the thread on the Vim Developers' mailing list for some other
> examples[2].
>
(yes indeed, vim doesn't completely sanitize it's input)
EXPLOIT:
echo '1 b3 1ee7' >> pwned
Copy and paste the above line into a unix shell or windows cmd window. File pwned is
created. Note, if the windowing system is not started, type the above command in
manually.
IMPACT:
I can create this file and mail it to ANYONE! ZOMG! Someone get me
Kaminsky's slide templates so I can get the PR machine going for this
discovery.
And I thought XSS stuff was lame. Sheesh.
--
#!/usr/bin/perl
if ((not 0 && not 1) != (! 0 && ! 1)) {
print "Larry and Tom must smoke some really primo stuff...\n";
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists