FreeBSD libedit ".editrc" from Current Directory Vulnerability

If an ".editrc" file exists in the current directory, libedit will incorrectly read its configuration from that file. The correct behaviour is to read ".editrc" from the user's home directory.

Additionally, libedit will not check the ownership of .editrc. Therefore, by creating an .editrc file in the directory from which an application linked to libedit is run, an attacker can cause the application to execute arbitrary key rebindings and exercise terminal capabilities.

ftp(1), for example, is linked to libedit and includes the ability to escape to a shell and execute a command.

The following is believed to be a complete list of statically and dynamically linked FreeBSD system utilities which link against libedit:

/bin/sh
/sbin/fsdb
/usr/bin/ftp
/usr/sbin/cdcontrol
/usr/sbin/lpc
/usr/sbin/nslookup
/usr/sbin/pppctl


 

Privacy Statement
Copyright 2010, SecurityFocus