Re: .exrc file security risks

From: Benjamin A. Okopnik (ben_at_callahans.org)
Date: 04/30/03

  • Next message: Benjamin A. Okopnik: "Re: .exrc file security risks" 
    Date: Tue, 29 Apr 2003 21:04:12 -0400
To: focus-sun@securityfocus.com

    On Tue, Apr 29, 2003 at 06:44:25PM -0400, Paul Greene wrote:
    > Hello All,
    >
    > I'm verifying the validity of a Solaris hardening guide and came across
    > a recommendation to remove ".exrc" files. However, I can't find anything
    > mentioning ".exrc" files in any of the standard security guidelines I
    > normally refer to (CISecurity and NSA).
    >
    > What, if any, are the risks associated with these files? (Or possibly
    > the spelling ".exrc" is a typo and should be something else?)

    A ".exrc" is a resource file for "vi". It's simply a text file. More
    than that, you can make _any_ file act the part of ".exrc" by using the
    ":so <file>" command from within "vi"; you could even enter the commands
    into a document and source the buffer itself (IIRC.) You can also
    specify a number of these things via the EXINIT variable.

    There is, however, a way that you can get whacked by one, and there's
    not much you can do to prevent it (other than user education, our Holy
    Grail. :) If Joe User downloads a tarball that $EVIL_HACKER has created,
    here's how it can go:

    tar xvzf evil.tgz
            fun_game/foo
            fun_game/bar # This is a fun game - really!
            fun_game/gzot
            html/.exrc # WHOOPS...

    Now, whenever Joe runs "vi" in the "html" subdirectory, he will be
    sourcing all the macros, etc. specified in "html/.exrc". I won't show
    any specific examples, but macros in "vi" can execute shell commands -
    and any keystroke can be tied to a macro.

    The autoloading of the per-directory .exrc files (and shell escape/write
    commands in them) can be disabled by invoking the "secure" command in
    "/etc/exrc". However, it can be cancelled with a "nosecure" line in a
    user's "~/.exrc" or even per-invocation:

    EXINIT=nosecure vi <file>

    For more info, enter ":help trojan-horse" at a modeline in a recent copy
    of Vim.

    Ben Okopnik
    -=-=-=-=-=-

  • Next message: Benjamin A. Okopnik: "Re: .exrc file security risks"

    Relevant Pages

    • Re: A _Bunch_ of Article_XXXX commands in _One_ send buffer.
      ... Speaking of perl... ... I love macros, they remove a lot of redundancy and other ugliness. ... issuing Article_XXXX commands one at a time. ... Terminals have a baud rate, ...
      (news.software.readers)
    • Re: -Crawl- -Stone Soup- Release Announcement (yes, Release Announcemen
      ... you might as well show the aptitudes table. ... A dwarf, orc, ogre or troll Fighter is a good bet. ... I had the commands written out on paper, afair for Nethack, too. ... But one thing with the macros is that it needs better documentation. ...
      (rec.games.roguelike.misc)
    • Re: Undo VBA
      ... There used to be a list of some of those commands in a MSFT KB article. ... It's possible that instead of creating macros named EditUndo ... > Sub StartUndoSaver() ... > On Error GoTo 0 ...
      (microsoft.public.word.vba.general)
    • Re: Keystroke formatting in Find box not working
      ... the keyboard shortcuts should still work in all contexts. ... If you created your own macros and assigned the keyboard ... > I like the improvements I've made to the built-in commands. ...
      (microsoft.public.word.vba.general)
    • Re: Keystroke formatting in Find box not working
      ... the keyboard shortcuts should still work in all contexts. ... If you created your own macros and assigned the keyboard ... > I like the improvements I've made to the built-in commands. ...
      (microsoft.public.word.vba.general)