Bugtraq mailing list archives
Re: man problem
From: okir () CALDERA DE (Olaf Kirch)
Date: Tue, 30 Dec 1997 11:42:10 +0100
On Wed, Dec 24, 1997 at 03:34:46PM -0800, d wrote:
What a neat little trick. I never thought man would be a security hole.
At least on Linux, it has been several times. Some early versions of man (running setgid or setuid man) would never revoke privileges when invoking other programs such as troff. As lately as a couple of months ago, both man_db-2.3 and man-1.4i had problems when invoking gzip to uncompress pages. You could force both of them to invoke a different program, which would run under the gid of 'man'. The funny thing about running with the privilege of man is that some Linux distributions had their man directories and a bunch of manpages group-writable and owned by man.man. This would let you do neat things like inserting .sy commands into those manpages. Anyone displaying one of those trojanized manpages would then cause it to be formatted, with troff executing the .sy command with the credentials of the invoking users. That's a nice way of collecting setuid shells... Andries Brouwer quickly released a fixed version (man-1.4j). man_db never got updated though, AFAIK, even though I contacted the maintainer a couple of times. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! -----------------------
Current thread:
- Re: man problem d (Dec 24)
- Re: man problem Rick Byers (Dec 26)
- q1/q2 remote crash attacks Ambrose Feinstein (Dec 26)
- More details about gzip... Micha? Zalewski (Dec 27)
- A security-related bug in RPM Savochkin Andrey Vladimirovich (Dec 27)
- Re: man problem Olaf Kirch (Dec 30)