[5856] in bugtraq
Re: man problem
daemon@ATHENA.MIT.EDU (zen@TROUBLE.ORG)
Wed Dec 24 23:18:36 1997
Date: Wed, 24 Dec 1997 15:34:46 -0800
Reply-To: d <zen@TROUBLE.ORG>
From: d <zen@TROUBLE.ORG>
X-To: Thomas Fischbacher <tf@PYSIK.TU-MUENCHEN.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Thomas Fischbacher <tf@PYSIK.TU-MUENCHEN.DE> "man problem" (Dec
24, 13:25)
> I just noticed a problem with the man system (version 2.3.10) on my Linux
> box: /usr/man contains the .gz'd man pages:
[...]
> When I execute man, a temporary file containing the un-zipped manpage is
> created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
> e.g. "zman10849aaa". This can be exploited with a simple symlink attack:
Pretty much the same with unformatted 'roff pages on unix (at least with
my suns around here; I assume others mostly do the same), with variously
different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc.
Another reason to use catman, I guess.
What a neat little trick. I never thought man would be a security hole.
-- d
