[19029] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Kris Kennaway)
Mon Feb 5 22:22:52 2001
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="CE+1k2dSO48ffgeK"
Content-Disposition: inline
Message-Id: <20010205170551.A20363@mollari.cthul.hu>
Date: Mon, 5 Feb 2001 17:05:51 -0800
Reply-To: Kris Kennaway <kris@OBSECURITY.ORG>
From: Kris Kennaway <kris@OBSECURITY.ORG>
X-To: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.30.0102052312440.26556-100000@dent.suse.de>; from
draht@SUSE.DE on Mon, Feb 05, 2001 at 11:17:28PM +0100
--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Feb 05, 2001 at 11:17:28PM +0100, Roman Drahtmueller wrote:
> SuSE ships the /usr/bin/man command suid man.
>=20
> After exploiting the man command format string vulnerability, the attacker
> can then replace the /usr/bin/man binary with an own program - since the
> man command is supposed to be used frequently (especially for administrat=
ors),
> this imposes a rather high security risk, which deserves some due respect.
>=20
> We'll provide update packages shortly.
The solution FreeBSD uses is to set the schg flag on /usr/bin/man -
this flag can only be set and removed by root, and prevents a
compromise of the man user from overwriting the binary.
FWIW, I don't think FreeBSD has the man problem.
Kris
--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE6f03vWry0BWjoQKURAmEgAKD41j8R+5shiJfL2idqNxwTkugfHQCfRIKQ
18/ym5x7No6xhAD2ANCj0Ds=
=R+Dp
-----END PGP SIGNATURE-----
--CE+1k2dSO48ffgeK--
