Bugtraq mailing list archives
Re: man bugs might lead to root compromise (RH 6.1 and other boxes)
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Sun, 27 Feb 2000 23:14:16 -0600
Hi, I could not reproduce this on a SuSE 6.2 system running: man, version 2.3.10, db 2.3.1, July 12th, 1995 (G.Wilford () ee surrey ac uk) My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers in every envrionment variable it uses without it flinching. Michal Zalewski wrote:
With most of Linux distributions, /usr/bin/man is shipped as setgid man. This setgid bit is required to build formatted manpages in /var/catman for faster access. Unfortunately, man does almost everything via system() calls, where parameters are user-dependent, and almost always it's sprintf'ed before to fixed size buffers. It's kinda trivial to gain man privledges, using buffer overflows in enviromental variables. For example, by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get SEGV: $ MANPAGER=`perl -e '{print "A"x4000}'` man ls [...] 1200 setuid(500) = 0 1200 setgid(15) = 0 1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory) 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory) 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 close(-1) = -1 EBADF (Bad file descriptor) 1200 write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo 1200 --- SIGSEGV (Naruszenie ochrony pamiêci) --- 1200 +++ killed by SIGSEGV +++ Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()
Current thread:
- W2K & ~25000+ temp files = crash + corruption?, (continued)
- W2K & ~25000+ temp files = crash + corruption? Clifford Hammerschmidt (Feb 28)
- ALERT!: TendMicro InterScan (DOS & intrusion) Veille Technologique (Feb 28)
- Advisory: Foundry Networks ServerIron TCP/IP sequence predictability Andrew van der Stock (Feb 27)
- Zonealarm exports sensitive data Andrew Daviel (Feb 24)
- Re: Zonealarm exports sensitive data Brett Glass (Feb 25)
- Re: Zonealarm exports sensitive data Robert Graham (Feb 28)
- Re: Wordpad vulnerability, exploitable also in IE for Win9x Curtis Anderson, CNE, MCSE (Feb 25)
- Troj_Trinoo and ZZ Simple Nomad (Feb 25)
- man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 26)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Mark Whitis (Feb 27)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 27)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) Michal Zalewski (Feb 28)
- Re: man bugs might lead to root compromise (RH 6.1 and other boxes) H D Moore (Feb 28)
- DOS in TrendMicro OfficeScan Veille Technologique (Feb 28)
- TrendMicro OfficeScan tmlisten.exe DoS Jeff Stevens (Feb 25)
- Re: Troj_Trinoo and ZZ Simple Nomad (Feb 26)