Home page logo

bugtraq logo Bugtraq mailing list archives

Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]
From: Sylwester "ZarÍbski" <sylwek () tornet pl>
Date: Mon, 14 May 2001 21:21:47 +0200

Sunday, May 13, 2001, 10:07:34 PM, zenith napisa³(a):

Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
package) and earlier.

Heap Based Overflow of man via -S option gives GID man.
Due to a slight error in a length check, the -S option to
man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.

man -S `perl -e 'print ":" x 100'`


$ man -S `perl -e 'print ":" x 100'` sometext
Segmentation fault

Will cause a seg fault if you are vulnerable.

It is possible to insert a pointer into a linked list that will allow
overwriting of any value in memory that is followed by 4 null
characters (a null pointer). one such memory location is the last
entry on the GOT (global offset table). When another item is added to
the linked list, the address of the data (a filename) is inserted over
the last value, effectively redefining the function to the code
represented by the filename.

Putting shellcode in the filename allows execution of arbitrary code
when the function referred to is called.

Redhat have be contacted, and will be releasing an errata soon.

GID man allows a race condition for root via
/etc/cron.daily/makewhatis and /sbin/makwhatis

My 'man' executable comes from default installation of RH 7.0.


|      Sylwester Zarêbski      |
|   e-mail: sylwek () tornet pl   |
|      ICQ uin: #45780888      |
|   Administrator TORNET.PL    |

  By Date           By Thread  

Current thread:
  • Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED] ZarÍbski (May 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]