Midnight Commander cons.saver Arbitrary File Write Vulnerability

Midnight Commander is a file management tool for unix systems. Versions 4.5.42 (and likely earlier versions) ship with a tool called cons.saver installed setuid root that is used by Midnight Commander when it is being run from a unix console. The cons.saver program contains a vulnerability that may allow local users to corrupt arbitrary files on the filesystem.

The primary argument to this utility is the path/filename of the terminal device it will use. When cons.saver opens the specified file it tests to determine whether it is a tty or not, but does not close the file descriptor if this test fails. As a result, if a user closes the file descriptor for standard output before cons.saver is executed, cons.saver will open the supplied file and allocate to it file descriptor 1 (standard output) automatically. A null will then be written to what should be standard output but is now the target file before the process exits. If the file specified is a symbolic link, the null will be written to the file pointed to.

Since cons.saver is installed setuid root, any file pointed to by the symbolic link can have a null written to it. This can lead to a local denial of service.


Privacy Statement
Copyright 2010, SecurityFocus