Bugtraq mailing list archives

Re: Troff dangerous.

From: gus () SB7 YOONIX NET (Groovy Pants Gus)
Date: Tue, 27 Jul 1999 15:03:13 +1000


At 01:27 PM 7/25/99 -0700, you wrote:

On Sun, 25 Jul 1999 17:29:56 +0600
CyberPsychotic <mlists () GIZMO KYRNET KG> wrote:


{snip}


The trick is that it can get you if you as a system administrator download
some open source program from the Internet, and build and install that
program; such activity often happens as "root", so a couple of scenarios
are possible:

      (1) Root installs the malicious roff source unknowingly.

      (2) During the process of building/installing the program, groff
          is invoked as root to create a pre-formatted version of
          the manual page (a "cat page"), at which point the trojan
          horse does it dirty work.

       -- Jason R. Thorpe <thorpej () nas nasa gov>


Just some idle thoughts, if a system had already been compromised, a
backdoor could be put in a man page.. admin thinks he's secure.. admin
needs to refer to man pages.. man pages insert trojan and email hacker..
or does tripwire, etc know to check for stuff like that? (and will it
after all this fuss on the issue has died down? :)

-- Groove On - http://sb7.yoonix.net/~gus/ (might be down, blame admin :)

Current thread:

Re: Troff dangerous., (continued)
- - Re: Troff dangerous. Pete (Jul 25)
    - Re: Troff dangerous. Robert Watson (Jul 27)
  - Re: Troff dangerous. Yozo Toda (Jul 25)
  - Re: Troff dangerous. Eric Moore (Jul 25)
    - Re: Troff dangerous. Ville Nummela (Jul 27)
- Re: Troff dangerous. Jason Thorpe (Jul 25)
  - Retrieving RDS Data... Wanderley J. Abreu Jr (Jul 26)
  - Re: Troff dangerous. Bob Beck (Jul 26)
- Re: Troff dangerous. Ronny Cook (Jul 25)
- Re: Troff dangerous. Steven M. Bellovin (Jul 26)
- Re: Troff dangerous. Groovy Pants Gus (Jul 26)