[20606] in bugtraq
RH7.0: man local gid 15 (man) exploit
daemon@ATHENA.MIT.EDU (zenith parsec)
Mon May 14 06:28:25 2001
Date: 13 May 2001 20:07:34 -0000
Message-ID: <20010513200734.9834.qmail@fiver.freemessage.com>
From: "zenith parsec" <zenith_parsec@the-astronaut.com>
To: bugtraq@securityfocus.com
========================================================
Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
package) and earlier.
=========================================================
Heap Based Overflow of man via -S option gives GID man.
Due to a slight error in a length check, the -S option to
man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.
man -S `perl -e 'print ":" x 100'`
Will cause a seg fault if you are vulnerable.
It is possible to insert a pointer into a linked list that
will allow overwriting of any value in memory that is followed by 4 null characters (a null pointer). one such
memory location is the last entry on the GOT (global offset table). When another item is added to the linked list, the address of the data (a filename) is inserted over the last value, effectively redefining the function
to the code represented by the filename.
Putting shellcode in the filename allows execution of arbitrary code when the function referred to is called.
Redhat have be contacted, and will be releasing an errata soon.
--zen-parse
GID man allows a race condition for root via
/etc/cron.daily/makewhatis and /sbin/makwhatis
Sign up for your FREE E-MAIL account @ Dynamitemail:
http://www.dynamitemail.com
