[19030] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Darren Moffat)
Mon Feb 5 22:35:12 2001
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: fV3Uc1GIvqSlLPVy9BU2oQ==
Message-ID: <200102060134.f161YlR299519@jurassic.eng.sun.com>
Date: Mon, 5 Feb 2001 17:34:47 -0800
Reply-To: Darren Moffat <Darren.Moffat@eng.sun.com>
From: Darren Moffat <Darren.Moffat@eng.sun.com>
To: BUGTRAQ@SECURITYFOCUS.COM
>> > This was on my Debian 2.2 potato system (It doesn't dump core though).
>> Just for the record:
>> on a lot of systems (including Debian), 'man' is not suid/sgid anything,
and
>> this doesn't impose a security problem.
>> I don't know about Suse/Redhat/others.
>
>SuSE ships the /usr/bin/man command suid man.
>
>After exploiting the man command format string vulnerability, the attacker
>can then replace the /usr/bin/man binary with an own program - since the
>man command is supposed to be used frequently (especially for
administrators),
>this imposes a rather high security risk, which deserves some due respect.
>
>We'll provide update packages shortly.
I'm having a hard time working out why the man command is setuid to any
user.
Exactly what is it that man MUST do to perform the job of turning nroff
man pages into viewable text ?
--
Darren J Moffat
