Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-sun > 03 > 040117.html (Request Expert securityfocus.com Support)

Re: .exrc file security risks

From: Benjamin A. Okopnik <ben(at)callahans.org>
Date: Tue Apr 29 2003 - 21:04:12 EDT

On Tue, Apr 29, 2003 at 06:44:25PM -0400, Paul Greene wrote:
> Hello All,

A ".exrc" is a resource file for "vi". It's simply a text file. More than that, you can make _any_ file act the part of ".exrc" by using the ":so <file>" command from within "vi"; you could even enter the commands into a document and source the buffer itself (IIRC.) You can also specify a number of these things via the EXINIT variable.

There is, however, a way that you can get whacked by one, and there's not much you can do to prevent it (other than user education, our Holy Grail. :) If Joe User downloads a tarball that $EVIL_HACKER has created, here's how it can go:

tar xvzf evil.tgz 

	fun_game/foo
	fun_game/bar	# This is a fun game - really!
	fun_game/gzot
	html/.exrc	# WHOOPS...

Now, whenever Joe runs "vi" in the "html" subdirectory, he will be sourcing all the macros, etc. specified in "html/.exrc". I won't show any specific examples, but macros in "vi" can execute shell commands - and any keystroke can be tied to a macro.

The autoloading of the per-directory .exrc files (and shell escape/write commands in them) can be disabled by invoking the "secure" command in "/etc/exrc". However, it can be cancelled with a "nosecure" line in a user's "~/.exrc" or even per-invocation:

EXINIT=nosecure vi <file>

Do you need help?X

For more info, enter ":help trojan-horse" at a modeline in a recent copy of Vim.

Ben Okopnik
-=-=-=-=-=- Received on Thu May 1 13:02:15 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:37 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library