[18997] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Martin Schulze)
Sun Feb 4 23:55:19 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010204110554.V15483@finlandia.infodrom.north.de>
Date: Sun, 4 Feb 2001 11:05:54 +0100
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
X-To: StyX <styx@MAILBOX.AS>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <3A7C2431.35F9FD10@mailbox.as>; from styx@MAILBOX.AS on Sat,
Feb 03, 2001 at 04:30:57PM +0100
StyX wrote:
> Joao Gouveia wrote:
> >
> > Hi,
> >
> > This issue has been discussed in vuln-dev (2001-01-26), see:
> > http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> > 4&fromthread=0&start=2001-01-21&threads=1&list=82&
> >
> > Posted also on suse security list, and aparently overlooked.
> >
> > The man package that ships with SuSe Linux ( at least versions 6.1 throught
> > 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
> > confirmed to have the same problem.
> >
> > <quote>
> > jroberto@spike:~ > man -l %x%x%x%x
> > man: 4000bc7438049af00: No such file or directory
> > </quote>
> >
> > Regards,
> >
> > Joao Gouveia
> > ------------
> > tharbad@kaotik.org
>
> Hmm... What about this?
>
> styx@SuxOS-devel:~$ man -l %n%n%n%n
> man: Segmentation fault
> styx@SuxOS-devel:~$
>
> This was on my Debian 2.2 potato system (It doesn't dump core though).
Please tell me what you gain from this. man does not run setuid root/man
but only setgid man. So all you can exploit this to is a shell running
under your ownl user ide.
Please correct me if I'm mistaken.
Regards,
Joey
--
GNU GPL: "The source will be with you... always."
