Skip to content

Buffer Overflow in Midnight Commander Extension Handler #5115

Open
Bug
Open
Buffer Overflow in Midnight Commander Extension Handler#5115
Bug
Labels
area: coreIssues not related to a specific subsystemprio: mediumHas the potential to affect progress
Milestone
Future Releases
@RCydefe

Description

@RCydefe
RCydefe
opened on May 11, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Midnight Commander version and build configuration

4.8.33 (commit f03e97f25, and likely all prior versions)

Operating system

Linux Kali 6.19.14+kali-amd64

Is this issue reproducible using the latest version of Midnight Commander?

  • I confirm the issue is still reproducible with the latest version of Midnight Commander

How to reproduce

Create a file with a path > 1280 bytes — requires deeply nested directories.
Each directory component can be up to 255 bytes (NAME_MAX). Seven components of
~185 bytes each yields a 1291-byte path, confirmed achievable on Linux:

python3 -c "
import os
components = ['A'*200, 'B'*200, 'C'*200, 'D'*200, 'E'*200, 'F'*200, 'G'*80]
path = '/tmp/' + '/'.join(components)
os.makedirs(path, exist_ok=True)
open(path + '/test.txt', 'w').write('test')
print(f'Path length: {len(path)} bytes — created successfully')
"
# Output: Path length: 1291 bytes — created successfully

  1. Control an mc.ext.ini rule for that file type — requires write access to
    ~/.config/mc/mc.ext.ini. A malicious extension file can be delivered as part of a
    social engineering attack (e.g., bundled with a crafted archive that also creates the
    deep directory structure when extracted).

  2. Victim presses Enter on the crafted file in MC, triggering the extension handler.

Expected behavior

No buffer overflow

Actual behavior

==PID==ERROR: AddressSanitizer: global-buffer-overflow
WRITE of size 1289 at 0x... thread T0
    #0 ... in strncpy
    #1 ... in main poc.c:48
0x... is located 0 bytes after global variable 'buffer' of size 1024
SUMMARY: AddressSanitizer: global-buffer-overflow in strncpy

gap:          1280 bytes
pbuffer AFTER:  0x4242424242424242
*** pbuffer CORRUPTED — arbitrary write confirmed ***

Additional context

A buffer overflow vulnerability exists in the MC extension handler (exec_extension() /
exec_make_shell_string()) when processing extension commands that use the %cd
format specifier.

The vulnerable code path is activated when a user opens a file matching an mc.ext.ini
extension rule containing %cd in its command string. The handler expands format
specifiers (%f, %d, %p) into a fixed-size 1024-byte static BSS buffer using
strncpy with the full expanded string length — with no bounds check against the size
of the destination buffer.

When the expanded path exceeds 1024 bytes, the overflow reaches the adjacent BSS
variable pbuffer (confirmed at offset 1280 bytes from buffer on x86_64 Linux).
Corrupting pbuffer with attacker-controlled data creates an arbitrary write
primitive on the next iteration of the format expansion loop.

gdb -ex 'break ext.c:340' -ex 'run' src/mc

Navigate to long-path file and press Enter

(gdb) p pbuffer # shows current pbuffer value
(gdb) p &buffer # shows buffer address
(gdb) p &pbuffer # shows pbuffer address (1280 bytes after buffer)
(gdb) next # execute strncpy
(gdb) p pbuffer # shows corrupted pbuffer value

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: coreIssues not related to a specific subsystemprio: mediumHas the potential to affect progress

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions