Bugtraq mailing list archives

Re: man bugs might lead to root compromise (RH 6.1 and other boxes)

From: whitis () DBD COM (Mark Whitis)
Date: Sun, 27 Feb 2000 23:48:09 -0500


On Sat, 26 Feb 1994, Michal Zalewski wrote:

With most of Linux distributions, /usr/bin/man is shipped as setgid man.
This setgid bit is required to build formatted manpages in /var/catman for
faster access. Unfortunately, man does almost everything via system()
calls, where parameters are user-dependent, and almost always it's
sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
privledges, using buffer overflows in enviromental variables. For example,
by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
SEGV:


This might be a side effect of the fix for another security hole.
IIRC, /var/catman/ was world writable allowing for all kinds of symlink
games which would allow ordinary users to do some things as root
(like clobbering files) by laying a trap in /var/catman/ and waiting
for root to run man.

Exploiting this buffer overflow bug to gain man priveledges would then
allow you to exploit the previous bugs as well if root runs "man"
(or possibly the priveledges of any user who runs man).

If you need to run man as root, consider:
   su nobody -c "man ls"             # assumes shell is /bin/bash
Or just switch to another console or window.

The man program was never designed to be secure but having a shared
manpage cache requires man to be secure.  If you disable man page caching,
you should be able to run man without setgid.

---------------------------------------------------------------------------
---  Mark Whitis <whitis () dbd com>     WWW:  http://www.dbd.com/~whitis/ ---
---------------------------------------------------------------------------

Current thread:

Re: EZ Shopper 3.0 shopping cart CGI remote command execution, (continued)
- - - Re: EZ Shopper 3.0 shopping cart CGI remote command execution Alex Heiphetz (Feb 28)
    - W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
    - ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)
    - Advisory: Foundry Networks ServerIron TCP/IP sequence predictability Andrew van der Stock (Feb 27)
  - Zonealarm exports sensitive data Andrew Daviel (Feb 24)
    - Re: Zonealarm exports sensitive data Brett Glass (Feb 25)
    - Re: Zonealarm exports sensitive data Robert Graham (Feb 28)
  - Re: Wordpad vulnerability, exploitable also in IE for Win9x Curtis Anderson, CNE, MCSE (Feb 25)
  - Troj_Trinoo and ZZ Simple Nomad (Feb 25)
    - man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 26)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Mark Whitis (Feb 27)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 27)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 28)
    - Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 28)
    - DOS in TrendMicro OfficeScan Veille Technologique (Feb 28)
    - TrendMicro OfficeScan tmlisten.exe DoS Jeff Stevens (Feb 25)
    - Re: Troj_Trinoo and ZZ Simple Nomad (Feb 26)
- Pragma Systems response to USSRLabs report Ussr Labs (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Pauli Ojanpera (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Charles Skoglund (Feb 23)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Sanford Whiteman (Feb 24)