Last night at the meeting, someone asked me if 'cat' could be used to run a program on a system. We had a good laugh about it, but apparently it's true... I was able to get 'cat' to run any program I wanted on my system, and here's how.
I was checking my nightly emails this morning, and noticed a very alarming bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030 This is on my FreeBSD system, but the FreeBSD bug report just linked to the Debian one which has all the juicy details! The jist of it is, XTerm 222-letch2 (223 on FreeBSD) is broken, so if XTerm displays a specific string, it will execute any command you want! For example: (From debian.org) # perl -e 'print "\eP\$q\nbad-command\n\e\\"' Executes bad-command... and it actually works! Another simple example: # perl -e 'print "\eP\$q\necho hello\n\e\\"' > /tmp/badfile # cat /tmp/badfile This puts the offending string into a file (imagine this was in a log file you often view as root!) Then, when cat is called on the file, the program "echo hello" is executed and "hello" is printed to the screen! -Mark C. _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
