[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] xscreensaver: filename command injection in vidwhacker screensaver
From: Hanno =?iso-8859-1?q?B=F6ck?= <hanno () hboeck ! de>
Date: 2021-06-14 10:12:56
Message-ID: 20210614121256.75640f6b () computer
[Download RAW message or body]
The "vidwhacker" screensaver in xscreensaver does not properly escape
filenames of input images, allowing command injection via filenames.
The autor of xscreensaver considers this a non-issue.
xscreensaver contains a screensaver called "vidwhacker" which uses
image files as an input and passes them to various command line tools
for decoding. A user can configure a directory with images.
The filenames are passed to the command line tools without any
escaping. This allows injecting commands, e.g. via subshells.
PoC:
* Create a dir with a file named '$(touch pwn).png'
* Run xscreensaver-demo, configure the vidwhacker directory to above
dir and run preview.
* File "pwn" gets created.
I believe this is a low risk security issue. A possible attack
scenario would be e.g. someone providing an image collection to a
victim which is large enough that an unusual filename wouldn't be noted.
The author of xscreensaver disagrees and wrote me he considers this a
non-issue.
--
Hanno Böck
https://hboeck.de/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic