Home page logo

bugtraq logo Bugtraq mailing list archives

Re: RH7.0: man local gid 15 (man) exploit
From: aleph1 () securityfocus com
Date: Wed, 16 May 2001 02:27:18 -0600

Summary of responses in this thread:

From: PJ <briareos () otherlands net>

Doesn't work on Slackware 7.1

This is the result:

elvander:~$ man -S `perl -e 'print ":" x 100'`
What manual page do you want?

From: Alvin Oga <alvin.sec () Mail Linux-Consulting com>

i have many patched rh-7.0 ( patched available on March 13, 2001 )

redhat:/usr/src# man -S `perl -e 'print ":" x 100'`
What manual page do you want?
redhat:/usr/src# cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.18-cdhs on an i586
redhat:/usr/src# man -v
man, version 1.5h
redhat:/usr/src# uname -a
Linux redhat 2.2.18-cdhs #5 SMP Wed Jan 31 05:23:44 PST 2001 i586 unknown

redhat's default kernel is 2.2.16-22

From: rcs <rasta () RSHELL ORG>

Are you sure this has anything to do with heap or buffer overflow ?
man -S : man.page will also core dump (Suse btw).

From: Joris Roefs <jroefs () zedd nl>

[jroefs () router jroefs]$ cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19 on an i586
[jroefs () router jroefs]$ man -S `perl -e 'print ":" x 100'`
What manual page do you want?

Seems that not all RedHat 7.0 installations are vulnerable.
This installation is (except for the kernel, as you've propably noticed) as
standard as possible, with all existing errata yet to be installed.

Could it be that an other (updated) package is responsable for the overflow?

From: Hugh Mc Gauran <hugh.mcgauran () skynet ie>

confirmed as well on debian woody..

From: "Patrick P. Murphy" <pmurphy () NRAO EDU>

Red Hat 7.1 with man-1.5h1-20 is not vulnerable.  Tried 100, 1000, 10000,
100000 with the response "what man page do you want?".  At a million, it
barfed "argument list too long".

From: poke <poke () silverlink net>

Ugggghhhh, ignore my last post. Typo in my test case. I got the segfault
on a RH7.0 system as well.

Elias Levy
Si vis pacem, para bellum

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]