#VU43404 Input validation error in Midnight Commander - CVE-2012-4463

Cybersecurity Help s.r.o.

Published: 2012-10-10 | Updated: 2020-08-11

Vulnerability identifier: #VU43404

Vulnerability risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2012-4463

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Midnight Commander
Other software / Other software solutions

Vendor: GNU Midnight Commander Project

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple files are selected, which allows user-assisted remote attackers to execute arbitrary commands via a crafted file name.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Midnight Commander: 4.8.5

External links
https://www.openwall.com/lists/oss-security/2012/10/03/4
https://www.openwall.com/lists/oss-security/2012/10/03/5
https://www.securityfocus.com/bid/55777
https://bugs.gentoo.org/show_bug.cgi?id=436518#c7
https://bugzilla.redhat.com/show_bug.cgi?id=862813
https://exchange.xforce.ibmcloud.com/vulnerabilities/79033
https://www.midnight-commander.org/ticket/2913

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for GNU Midnight Commander

Input validation error in Midnight Commander