[20614] in bugtraq
Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]
daemon@ATHENA.MIT.EDU (Sylwester "Zarębski)
Tue May 15 04:28:52 2001
Date: Mon, 14 May 2001 21:21:47 +0200
From: Sylwester "Zarębski" <sylwek@tornet.pl>
Message-ID: <1857118636.20010514212147@tornet.pl>
To: bugtraq@securityfocus.com
In-Reply-To: <20010513200734.9834.qmail@fiver.freemessage.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sunday, May 13, 2001, 10:07:34 PM, zenith napisał(a):
> ========================================================
> Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
> package) and earlier.
> =========================================================
> Heap Based Overflow of man via -S option gives GID man.
> Due to a slight error in a length check, the -S option to
> man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.
> man -S `perl -e 'print ":" x 100'`
Confirmed:
$ man -S `perl -e 'print ":" x 100'` sometext
Segmentation fault
> Will cause a seg fault if you are vulnerable.
> It is possible to insert a pointer into a linked list that will allow
> overwriting of any value in memory that is followed by 4 null
> characters (a null pointer). one such memory location is the last
> entry on the GOT (global offset table). When another item is added to
> the linked list, the address of the data (a filename) is inserted over
> the last value, effectively redefining the function to the code
> represented by the filename.
> Putting shellcode in the filename allows execution of arbitrary code
> when the function referred to is called.
> Redhat have be contacted, and will be releasing an errata soon.
> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis
My 'man' executable comes from default installation of RH 7.0.
--
pozdrawiam
| Sylwester Zarębski |
| e-mail: sylwek@tornet.pl |
| ICQ uin: #45780888 |
| Administrator TORNET.PL |
