[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Arbitrary shell command injection in lilypond-invoke-editor
From: |
Gabriel Corona |
Subject: |
Arbitrary shell command injection in lilypond-invoke-editor |
Date: |
Wed, 15 Nov 2017 00:12:48 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 |
Hi,
I reported this bug on sensible-browser:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881767
The summary is that some specially crafted URIs might lead to the
injection of arbitrary arguments when calling the browser.
As mentioned in the bug report, I found other softwares having this same
vulnerability and lilypond-invoke-editor is one of them.
In fact, in lilypond-invoke-editor's case it's even worse than that as
lilypond-invoke-editor can be used to execute arbitrary commands:
BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/ & xterm"
BROWSER="chromium" /usr/bin/lilypond-invoke-editor
"http://www.example.com/&xterm"
(While the first argument is an invalid URI, the second example is an
absolutely valid one).
As a proof of concept, you'll find as an attachment an example PDF file.
Clicking on the link using mupdf, spawns a xterm process:
BROWSER="lilypond-invoke-editor" mupdf test.pdf
Cheers,
--
Gabriel
test.pdf
Description: Adobe PDF document
- Arbitrary shell command injection in lilypond-invoke-editor,
Gabriel Corona <=