[20670] in bugtraq
Re: RH7.0: man local gid 15 (man) exploit
daemon@ATHENA.MIT.EDU (aleph1@securityfocus.com)
Wed May 16 12:31:33 2001
Date: Wed, 16 May 2001 02:27:18 -0600
From: aleph1@securityfocus.com
To: bugtraq@securityfocus.com
Message-ID: <20010516022718.A12303@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Summary of responses in this thread:
From: PJ <briareos@otherlands.net>
Doesn't work on Slackware 7.1
This is the result:
elvander:~$ man -S `perl -e 'print ":" x 100'`
What manual page do you want?
elvander:~$
From: Alvin Oga <alvin.sec@Mail.Linux-Consulting.com>
i have many patched rh-7.0 ( patched available on March 13, 2001 )
redhat:/usr/src# man -S `perl -e 'print ":" x 100'`
What manual page do you want?
-----------
redhat:/usr/src# cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.18-cdhs on an i586
redhat:/usr/src# man -v
man, version 1.5h
redhat:/usr/src# uname -a
Linux redhat 2.2.18-cdhs #5 SMP Wed Jan 31 05:23:44 PST 2001 i586 unknown
redhat's default kernel is 2.2.16-22
From: rcs <rasta@RSHELL.ORG>
Are you sure this has anything to do with heap or buffer overflow ?
man -S : man.page will also core dump (Suse btw).
From: Joris Roefs <jroefs@zedd.nl>
[jroefs@router jroefs]$ cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19 on an i586
[jroefs@router jroefs]$ man -S `perl -e 'print ":" x 100'`
What manual page do you want?
Seems that not all RedHat 7.0 installations are vulnerable.
This installation is (except for the kernel, as you've propably noticed) as
standard as possible, with all existing errata yet to be installed.
Could it be that an other (updated) package is responsable for the overflow?
From: Hugh Mc Gauran <hugh.mcgauran@skynet.ie>
confirmed as well on debian woody..
From: "Patrick P. Murphy" <pmurphy@NRAO.EDU>
Red Hat 7.1 with man-1.5h1-20 is not vulnerable. Tried 100, 1000, 10000,
100000 with the response "what man page do you want?". At a million, it
barfed "argument list too long".
From: poke <poke@silverlink.net>
Ugggghhhh, ignore my last post. Typo in my test case. I got the segfault
on a RH7.0 system as well.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
