[19018] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Roman Drahtmueller)
Mon Feb 5 19:49:33 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Message-ID: <Pine.LNX.4.30.0102052312440.26556-100000@dent.suse.de>
Date: Mon, 5 Feb 2001 23:17:28 +0100
Reply-To: Roman Drahtmueller <draht@SUSE.DE>
From: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010204014834.A1351@lin-gen.com>
Content-Transfer-Encoding: 8bit
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.
SuSE ships the /usr/bin/man command suid man.
After exploiting the man command format string vulnerability, the attacker
can then replace the /usr/bin/man binary with an own program - since the
man command is supposed to be used frequently (especially for administrators),
this imposes a rather high security risk, which deserves some due respect.
We'll provide update packages shortly.
> Greets,
> Robert
Roman.
--
- -
| Roman Drahtmüller <draht@suse.de> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -
