Bugtraq mailing list archives

Re: Troff dangerous.


From: aaron () CS DAL CA (Aaron Campbell)
Date: Tue, 27 Jul 1999 00:45:30 -0300


On Mon, 26 Jul 1999, Nic Bellamy wrote:

I've also checked OpenBSD 2.5 and FreeBSD 3.2 - the groff on both systems
defaults to the unsafe behaviour.

OpenBSD-current has been fixed to pass the -S (safer mode) option to groff
from the nroff.sh script. Please see the following URL:

http://www.openbsd.org/cgi-bin/cvsweb/src/gnu/usr.bin/groff/nroff/nroff.sh

Since all pre-formatted man pages are assembled from nroff and man(1) itself
uses nroff to compile manuals on-the-fly, this seems to be a reasonable fix.

Again, this (mis)feature has been known for years (the opena/write/pos macros
are clearly documented, in fact!) Not really any different than installing and
running software from untrusted sources, but a good heads up and -S is
definitely a good idea as an extra precaution.

I wasn't going to start a whole new thread about it, but since I'm writing
this I might as well mention it. FreeBSD PR/6317 notes a problem in the
telnet(1) client. The -E option disables escape characters entirely so it is
not supposed to be possible to escape to the `telnet>' prompt. However, if the
-8 (binary) option is specified to telnet as well (i.e., telnet -8E <host>),
sending a 0xFF character would indeed still cause the escape.

This could be a security issue on systems that jail users in "canned"
environments (i.e., lynx-only freenet systems) but allow use of the telnet
client. If the bug described above were present and the conditions were right,
a user may be able to escape to the telnet> prompt and, for example, run shell
commands using the `!' mechanism.

FreeBSD fixed this and OpenBSD adopted the fix as well. I have no idea about
the status of other operating systems. Oh, Andrew Maltsev <am () amsoft ru> filed
this problem report. If you want to test this on your system, it can be easily
done in X. Open up an xterm and type: printf "\777\n" at the shell prompt.
Highlight and copy the strange character printed. Now do a telnet -8E <host>
and paste the character, see if it escapes to the prompt. Ok, this might not
work on all systems, but it worked for me.

Since we were on the subject of a fairly *cough* minor *cough* security issue
I thought I'd bring this up.

  .
 :  Aaron Campbell <aaron () cs dal ca> - [ http://www.biodome.org/~fx ]
  `-------------------------------------------------------------------


Current thread: