[14073] in bugtraq

home help back first fref pref prev next nref lref last post

Re: man bugs might lead to root compromise (RH 6.1 and other

daemon@ATHENA.MIT.EDU (H D Moore)
Mon Feb 28 16:05:40 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-Id:  <38BA0428.E626D348@secureaustin.com>
Date:         Sun, 27 Feb 2000 23:14:16 -0600
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To:         Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit

Hi,

I could not reproduce this on a SuSE 6.2 system running:

man, version 2.3.10, db 2.3.1, July 12th, 1995
(G.Wilford@ee.surrey.ac.uk)

My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers
in every envrionment variable it uses without it flinching.



Michal Zalewski wrote:
> 
> With most of Linux distributions, /usr/bin/man is shipped as setgid man.
> This setgid bit is required to build formatted manpages in /var/catman for
> faster access. Unfortunately, man does almost everything via system()
> calls, where parameters are user-dependent, and almost always it's
> sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
> privledges, using buffer overflows in enviromental variables. For example,
> by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
> SEGV:
> 
> $ MANPAGER=`perl -e '{print "A"x4000}'` man ls
> 
> [...]
> 
> 1200  setuid(500)                       = 0
> 1200  setgid(15)                        = 0
> 1200  open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
> 1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200  open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
> 1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200  close(-1)                         = -1 EBADF (Bad file descriptor)
> 1200  write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo
> 1200  --- SIGSEGV (Naruszenie ochrony pamiêci) ---
> 1200  +++ killed by SIGSEGV +++
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
home help back first fref pref prev next nref lref last post