Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: RH7.0: man local gid 15 (man) exploit
From: Colin Watson <cjwatson () debian org>
Date: Tue, 15 May 2001 20:16:14 +0100

In article <20010513200734.9834.qmail () fiver freemessage com>,
zenith_parsec () the-astronaut com wrote:
========================================================
Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
package) and earlier.
=========================================================
Heap Based Overflow of man via -S option gives GID man.

Due to a slight error in a length check, the -S option to
man can cause a buffer overflow on the heap, allowing redirection of
execution into user supplied code.

man -S `perl -e 'print ":" x 100'`

Will cause a seg fault if you are vulnerable.

With the name of a man page as an additional argument, the version of
man-db shipped with Debian GNU/Linux also segfaults here. I just
uploaded version 2.3.18-2 to Debian unstable which fixes this.

However, I believe that the code bases are different enough that a
segfault is as bad as it gets in man-db (the functions in question are
entirely different, and just happen to have the same failure case). Feel
free to prove me wrong.

Cheers,

-- 
Colin Watson                                     [cjw44 () flatline org uk]


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]