On 20/08/08 09:47, Jan Minář wrote:
> On Wed, Aug 20, 2008 at 8:18 AM, Tony Mechelynck
> <[EMAIL PROTECTED]> wrote:
>> On 20/08/08 06:51, Jan Minář wrote:
>> [...]
>>> Opening the following URL using the K command will launch the
>>> xclock(1x) program:
>>>
>>> http://www.google.co.uk/search?q=&xclock&;
>> Pasting this into the SeaMonkey location bar opens a Google page.
>> Hitting K on it in gvim with 'keywordprg' set to "seamonkey" invokes
>> ":!seamonkey http" which gives a page from the site http://www.http.com/
>> In neither case do I see any xclock process, even though the program is
>> in my $PATH.
>
> You need to have 'iskeyword' set to a sensible value. Sensible, that
> is, for handling URLs. A version using a modeline to set the
> 'iskeyword':
>
> http://www.example.com&xclock&;
> vim:
> iskeyword=58,?,#,[,],@,!,$,&,',(,),*,+,44,;,=,45,.,_,~,/,48-57,A-Z,a-z,%
This time Vim says ":!seamonkey www.example.com&xclock& which apparently
doesn't do anything. Pasting the URL into the Location bar gives
Address Not Found
www.example.com&xclock& could not be found. Please check the name and
try again.
The browser could not find the host server for the provided address.
* Did you make a mistake when typing the domain? (e.g.
"ww.mozilla.org" instead of "www.mozilla.org")
* Are you certain this domain address exists? Its registration may
have expired.
* Are you unable to browse other sites? Check your network
connection and DNS server settings.
* Is your computer or network protected by a firewall or proxy?
Incorrect settings can interfere with Web browsing.
[ Try Again ]
"ps -lC xclock" still doesn't show anything.
>
>
>>> But, of course, it's much worse: Since the URL is inside a buffer, we
>>> can assume the whole of the buffer can be controlled by the attacker.
>>> They can use a modeline to set 'iskeyword' to contain any characters
>>> needed for a particular shell command:
>>>
>>> /* We use an obscure glibc function -- check out the man page! */
>>> clockface = (xclock&)pwnme(a, b, x + y);
>>> [...]
>>> /* vim:iskeyword:a-z,&,),(: */
>
> The above will of course not work. The following will:
>
> /* We use an obscure glibc function -- check out the man page! */
> clockface =&(xclock)&pwnme (a, b, x + y);
> /* :vim:iskeyword=a-z,&,),(: */
No error this time, but still says ":!seamonkey clockface" and loads
http://www.apple.com/
>
> Cheers,
> Jan.
Well, I couldn't reproduce your exploit with the Mozilla SeaMonkey
2.0a1pre browser. You can see its UA string in the headers of this post.
Best regards,
Tony.
--
God is Dead
-- Nietzsche
Nietzsche is Dead
-- God
Nietzsche is God
-- The Dead
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
