Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Troff dangerous.
From: okir () MONAD SWB DE (Olaf Kirch)
Date: Mon, 26 Jul 1999 11:20:23 +0200

On Sun, 25 Jul 1999 10:18:20 EDT, John Robert LoVerso wrote:
This isn't a problem with "troff" or any of it's varients.  Instead,
this is an exploit purely with "groff", the GNU reimplementation.  Troff
doesn't have the file stream or ".pso" requests; those are purely part
of groff.

No, at least .sy and .pi are part of the original troff command set.
Look for the original troff documentation in the att cstr series.

As far as man viewers are concerned, these problems have been discovered
and fixed several times. On Linux, Andries Brouwer's man is safe; it
drops privileges whenever it invokes external commands (note that this includes
gzip and less besides groff). The man_db shipped by some vendors isn't.
I've repeately tried to contact the original author, to no avail.

Potential problems like this are also the primary reason why /usr/man
and friends should never be owned by man.man; once you've subverted
user or group man you may be able to plant trojan manpages in them.

Finally, note that apart from the various troff/groff commands, you can
request that certain preprocessors like tbl be run. Some of them also
have special commands that make them run shell code.


Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]