[20665] in bugtraq
Re: RH7.0: man local gid 15 (man) exploit
daemon@ATHENA.MIT.EDU (Colin Watson)
Wed May 16 09:35:45 2001
Date: Tue, 15 May 2001 20:16:14 +0100
From: Colin Watson <cjwatson@debian.org>
To: bugtraq@securityfocus.com
Message-ID: <20010515201614.C10988@riva.ucam.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010513200734.9834.qmail@fiver.freemessage.com>
In article <20010513200734.9834.qmail@fiver.freemessage.com>,
zenith_parsec@the-astronaut.com wrote:
>========================================================
>Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
>package) and earlier.
>=========================================================
>Heap Based Overflow of man via -S option gives GID man.
>
>Due to a slight error in a length check, the -S option to
>man can cause a buffer overflow on the heap, allowing redirection of
>execution into user supplied code.
>
>man -S `perl -e 'print ":" x 100'`
>
>Will cause a seg fault if you are vulnerable.
With the name of a man page as an additional argument, the version of
man-db shipped with Debian GNU/Linux also segfaults here. I just
uploaded version 2.3.18-2 to Debian unstable which fixes this.
However, I believe that the code bases are different enough that a
segfault is as bad as it gets in man-db (the functions in question are
entirely different, and just happen to have the same failure case). Feel
free to prove me wrong.
Cheers,
--
Colin Watson [cjw44@flatline.org.uk]
