[11164] in bugtraq
Re: Troff dangerous.
daemon@ATHENA.MIT.EDU (Groovy Pants Gus)
Wed Jul 28 05:29:57 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.32.19990727150304.00d4d6b8@sb7.yoonix.net>
Date: Tue, 27 Jul 1999 15:03:13 +1000
Reply-To: Groovy Pants Gus <gus@SB7.YOONIX.NET>
From: Groovy Pants Gus <gus@SB7.YOONIX.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
At 01:27 PM 7/25/99 -0700, you wrote:
>On Sun, 25 Jul 1999 17:29:56 +0600
> CyberPsychotic <mlists@GIZMO.KYRNET.KG> wrote:
>
{snip}
>
>The trick is that it can get you if you as a system administrator download
>some open source program from the Internet, and build and install that
>program; such activity often happens as "root", so a couple of scenarios
>are possible:
>
> (1) Root installs the malicious roff source unknowingly.
>
> (2) During the process of building/installing the program, groff
> is invoked as root to create a pre-formatted version of
> the manual page (a "cat page"), at which point the trojan
> horse does it dirty work.
>
> -- Jason R. Thorpe <thorpej@nas.nasa.gov>
>
Just some idle thoughts, if a system had already been compromised, a
backdoor could be put in a man page.. admin thinks he's secure.. admin
needs to refer to man pages.. man pages insert trojan and email hacker..
or does tripwire, etc know to check for stuff like that? (and will it
after all this fuss on the issue has died down? :)
-- Groove On - http://sb7.yoonix.net/~gus/ (might be down, blame admin :)
