full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Arbitrary Command Executio

[Full-disclosure] Arbitrary Command Execution in Windows and Unix Shells.

From: Bob Beck <beck_at_nospam>
Date: Fri Aug 22 2008 - 16:43:01 GMT
To: Jan Min???? <rdancer@rdancer.org>


Stupidity + Copy and Paste Considered Harmful

>
> 4. EXPLOIT
>
> Copy-and-paste these examples into separate files:
>
> ;xclock
> vim: set iskeyword=;,@
>
> Place your cursor on ``xclock'', and press K. xclock appears.
>
> ;date>>pwned
> vim: set iskeyword=1-255
>
> Place your cursor on ``date'' and press K. File ``pwned'' is created in
> the current working directory.
>
> Please note: If modeline processing is disabled, set the 'iskeyword'
> option manually.
>
> See the thread on the Vim Developers' mailing list for some other
> examples[2].
>

(yes indeed, vim doesn't completely sanitize it's input)

EXPLOIT: echo '1 b3 1ee7' >> pwned

Copy and paste the above line into a unix shell or windows cmd window. File pwned is created. Note, if the windowing system is not started, type the above command in manually.

IMPACT:  I can create this file and mail it to ANYONE! ZOMG! Someone get me Kaminsky's slide templates so I can get the PR machine going for this discovery.

And I thought XSS stuff was lame. Sheesh. -- #!/usr/bin/perl if ((not 0 && not 1) != (! 0 && ! 1)) { print "Larry and Tom must smoke some really primo stuff...\n"; } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/