Bugtraq mailing list archives
Re: RH7.0: man local gid 15 (man) exploit
From: Colin Watson <cjwatson () debian org>
Date: Tue, 15 May 2001 20:16:14 +0100
In article <20010513200734.9834.qmail () fiver freemessage com>, zenith_parsec () the-astronaut com wrote:
======================================================== Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default package) and earlier. ========================================================= Heap Based Overflow of man via -S option gives GID man. Due to a slight error in a length check, the -S option to man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code. man -S `perl -e 'print ":" x 100'` Will cause a seg fault if you are vulnerable.
With the name of a man page as an additional argument, the version of man-db shipped with Debian GNU/Linux also segfaults here. I just uploaded version 2.3.18-2 to Debian unstable which fixes this. However, I believe that the code bases are different enough that a segfault is as bad as it gets in man-db (the functions in question are entirely different, and just happen to have the same failure case). Feel free to prove me wrong. Cheers, -- Colin Watson [cjw44 () flatline org uk]
Current thread:
- Re: RH7.0: man local gid 15 (man) exploit Olaf Kirch (May 15)
- <Possible follow-ups>
- Re: RH7.0: man local gid 15 (man) exploit solar (May 15)
- Re: RH7.0: man local gid 15 (man) exploit Colin Watson (May 16)
- Re: RH7.0: man local gid 15 (man) exploit aleph1 (May 16)
- Re: RH7.0: man local gid 15 (man) exploit Stephen Shirley (May 16)
- Re: RH7.0: man local gid 15 (man) exploit PJ (May 17)