Midnight Commander cons.saver Arbitrary File Write Vulnerability
BID:1945
Info
Midnight Commander cons.saver Arbitrary File Write Vulnerability
| Bugtraq ID: | 1945 |
| Class: | Unknown |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 13 2000 12:00AM |
| Updated: | Nov 13 2000 12:00AM |
| Credit: | First posted to Bugtraq by Maurycy Prodeus <[email protected]> on Nov 13, 2000. |
| Vulnerable: |
Midnight Commander Midnight Commander 4.5.42 |
| Not Vulnerable: | |
Discussion
Midnight Commander cons.saver Arbitrary File Write Vulnerability
Midnight Commander is a file management tool for unix systems. Versions 4.5.42 (and likely earlier versions) ship with a tool called cons.saver installed setuid root that is used by Midnight Commander when it is being run from a unix console. The cons.saver program contains a vulnerability that may allow local users to corrupt arbitrary files on the filesystem.
The primary argument to this utility is the path/filename of the terminal device it will use. When cons.saver opens the specified file it tests to determine whether it is a tty or not, but does not close the file descriptor if this test fails. As a result, if a user closes the file descriptor for standard output before cons.saver is executed, cons.saver will open the supplied file and allocate to it file descriptor 1 (standard output) automatically. A null will then be written to what should be standard output but is now the target file before the process exits. If the file specified is a symbolic link, the null will be written to the file pointed to.
Since cons.saver is installed setuid root, any file pointed to by the symbolic link can have a null written to it. This can lead to a local denial of service.
Midnight Commander is a file management tool for unix systems. Versions 4.5.42 (and likely earlier versions) ship with a tool called cons.saver installed setuid root that is used by Midnight Commander when it is being run from a unix console. The cons.saver program contains a vulnerability that may allow local users to corrupt arbitrary files on the filesystem.
The primary argument to this utility is the path/filename of the terminal device it will use. When cons.saver opens the specified file it tests to determine whether it is a tty or not, but does not close the file descriptor if this test fails. As a result, if a user closes the file descriptor for standard output before cons.saver is executed, cons.saver will open the supplied file and allocate to it file descriptor 1 (standard output) automatically. A null will then be written to what should be standard output but is now the target file before the process exits. If the file specified is a symbolic link, the null will be written to the file pointed to.
Since cons.saver is installed setuid root, any file pointed to by the symbolic link can have a null written to it. This can lead to a local denial of service.
Exploit / POC
Midnight Commander cons.saver Arbitrary File Write Vulnerability
Maurycy Prodeus <[email protected]> submitted an exploit in his post to Bugtraq.
Maurycy Prodeus <[email protected]> submitted an exploit in his post to Bugtraq.
Solution / Fix
Midnight Commander cons.saver Arbitrary File Write Vulnerability
Solution:
Maurycy Prodeus <[email protected]> submitted an unofficial patch in his post to Bugtraq.
Midnight Commander Midnight Commander 4.5.42
Solution:
Maurycy Prodeus <[email protected]> submitted an unofficial patch in his post to Bugtraq.
Midnight Commander Midnight Commander 4.5.42
-
Debian 2.2 Alpha gmc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-alpha/gmc_ 4.5.42-11.potato.5_alpha.deb -
Debian 2.2 Alpha mc-common_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-alpha/mc-c ommon_4.5.42-11.potato.5_alpha.deb -
Debian 2.2 Alpha mc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-alpha/mc_4 .5.42-11.potato.5_alpha.deb -
Debian 2.2 arm gmc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-arm/gmc_4. 5.42-11.potato.5_arm.deb -
Debian 2.2 arm mc-common_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-arm/mc-com mon_4.5.42-11.potato.5_arm.deb -
Debian 2.2 arm mc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-arm/mc_4.5 .42-11.potato.5_arm.deb -
Debian 2.2 i386 gmc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-i386/gmc_4 .5.42-11.potato.5_i386.deb -
Debian 2.2 i386 mc-common_4.5.42
http://security.debian.org/dists/stable/updates/main/binary-i386/mc-co mmon_4.5.42-11.potato.5_i386.deb -
Debian 2.2 i386 mc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-i386/mc_4. 5.42-11.potato.5_i386.deb -
Debian 2.2 m68k gmc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-m68k/gmc_4 .5.42-11.potato.5_m68k.deb -
Debian 2.2 m68k mc-common_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-m68k/mc-co mmon_4.5.42-11.potato.5_m68k.deb -
Debian 2.2 m68k mc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-m68k/mc_4. 5.42-11.potato.5_m68k.deb -
Debian 2.2 ppc gmc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-powerpc/gm c_4.5.42-11.potato.5_powerpc.deb -
Debian 2.2 ppc mc-common_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-powerpc/mc -common_4.5.42-11.potato.5_powerpc.deb -
Debian 2.2 ppc mc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-powerpc/mc _4.5.42-11.potato.5_powerpc.deb -
Debian 2.2 Sparc gmc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-sparc/gmc_ 4.5.42-11.potato.5_sparc.deb -
Debian 2.2 Sparc mc-common_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-sparc/mc-c ommon_4.5.42-11.potato.5_sparc.deb -
Debian 2.2 Sparc mc_4.5.42-11
http://security.debian.org/dists/stable/updates/main/binary-sparc/mc_4 .5.42-11.potato.5_sparc.deb -
MandrakeSoft 6.0 i386 gmc-4.5.31-14.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/6.0/RPMS/gmc-4.5. 31-14.1mdk.i586.rpm -
MandrakeSoft 6.0 i386 mc-4.5.31-14.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/6.0/RPMS/mc-4.5.3 1-14.1mdk.i586.rpm -
MandrakeSoft 6.0 i386 mcserv-4.5.31-14.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/6.0/RPMS/mcserv-4 .5.31-14.1mdk.i586.rpm -
MandrakeSoft 6.1 i386 gmc-4.5.38-4.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/6.1/RPMS/gmc-4.5. 38-4.1mdk.i586.rpm -
MandrakeSoft 6.1 i386 mc-4.5.38-4.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/6.1/RPMS/mc-4.5.3 8-4.1mdk.i586.rpm -
MandrakeSoft 6.1 i386 mcserv-4.5.38-4.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/6.1/RPMS/mcserv-4 .5.38-4.1mdk.i586.rpm -
MandrakeSoft 7.0 i386 gmc-4.5.42-4.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.0/RPMS/gmc-4.5. 42-4.1mdk.i586.rpm -
MandrakeSoft 7.0 i386 mc-4.5.42-4.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.0/RPMS/mc-4.5.4 2-4.1mdk.i586.rpm -
MandrakeSoft 7.0 i386 mcserv-4.5.42-4.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.0/RPMS/mcserv-4 .5.42-4.1mdk.i586.rpm -
MandrakeSoft 7.1 i386 gmc-4.5.46-1.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.1/RPMS/gmc-4.5. 46-1.1mdk.i586.rpm -
MandrakeSoft 7.1 i386 mc-4.5.46-1.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.1/RPMS/mc-4.5.4 6-1.1mdk.i586.rpm -
MandrakeSoft 7.1 i386 mcserv-4.5.46-1.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.1/RPMS/mcserv-4 .5.46-1.1mdk.i586.rpm -
MandrakeSoft 7.2 i386 gmc-4.5.51-7.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.2/RPMS/gmc-4.5. 51-7.1mdk.i586.rpm -
MandrakeSoft 7.2 i386 mc-4.5.51-7.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.2/RPMS/mc-4.5.5 1-7.1mdk.i586.rpm -
MandrakeSoft 7.2 i386 mcserv-4.5.51-7.1mdk.i586.rpm
http://sunsite.ualberta.ca/pub/Mirror/Linux/mandrake/7.2/RPMS/mcserv-4 .5.51-7.1mdk.i586.rpm -
Maurycy Prodeus
/data/vulnerabilities/patches/cons.saver.patch