[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] xscreensaver: filename command injection in vidwhacker screensaver
From:       Hanno =?iso-8859-1?q?B=F6ck?= <hanno () hboeck ! de>
Date:       2021-06-14 10:12:56
Message-ID: 20210614121256.75640f6b () computer
[Download RAW message or body]

The "vidwhacker" screensaver in xscreensaver does not properly escape
filenames of input images, allowing command injection via filenames.

The autor of xscreensaver considers this a non-issue.

xscreensaver contains a screensaver called "vidwhacker" which uses
image files as an input and passes them to various command line tools
for decoding. A user can configure a directory with images.

The filenames are passed to the command line tools without any
escaping. This allows injecting commands, e.g. via subshells.

PoC:
* Create a dir with a file named '$(touch pwn).png'
* Run xscreensaver-demo, configure the vidwhacker directory to above
  dir and run preview.
* File "pwn" gets created.

I believe this is a low risk security issue. A possible attack
scenario would be e.g. someone providing an image collection to a
victim which is large enough that an unusual filename wouldn't be noted.

The author of xscreensaver disagrees and wrote me he considers this a
non-issue.

-- 
Hanno Böck
https://hboeck.de/
[prev in list] [next in list] [prev in thread] [next in thread]