[19042] in bugtraq
Re: SuSe / Debian man package format string vulnerability
daemon@ATHENA.MIT.EDU (Foldi Tamas)
Tue Feb 6 15:08:46 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A805969.90FB75F@kapu.hu>
Date: Tue, 6 Feb 2001 15:07:05 -0500
Reply-To: Foldi Tamas <crow@KAPU.HU>
From: Foldi Tamas <crow@KAPU.HU>
To: BUGTRAQ@SECURITYFOCUS.COM
Megyer Ur wrote:
> /usr/bin/man is a simple binary, without any suid bit, BUT
> /usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr>
> attack. So anyone can get man uid by exploiting it.
>
> So we can overwrite the /usr/lib/man-db/man binary with any stuff we
> want, and when some user launches man, our code will be run instead of
> the original /usr/lib/man-db/man binary. This is the real security
> problem.
Do "chattr +i /usr/lib/man-db/man*" to prevent this style attacks.
Cheers,
Foldi Ur ;)
. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
crow@kapu.hu - PGP: finger://crow@thot.banki.hu - (+3630) 221-7477
