mailing list archives
Re: RH7.0: man local gid 15 (man) exploit
From: solar () openwall com
Date: Tue, 15 May 2001 05:00:28 +0400
On Sun, May 13, 2001 at 08:07:34PM -0000, zenith parsec wrote:
man -S `perl -e 'print ":" x 100'`
Will cause a seg fault if you are vulnerable.
This and several other man vulnerabilities have been discussed on
security-audit last year. See:
MARC: thrd 'Multiple man vulnerabilities with Red Hat Linux 6.2'
MARC: thrd 'More fun with man 1.5h1'
I don't think your analysis of the possibilities to exploit this is
entirely correct. The buffer is in the bss, not on the heap. In fact,
the builds of man-1.5h1 I have here won't even segfault on the command
you mention, not even when given 400 colons -- but they do misbehave in
other ways. (I am willing to believe that this really is exploitable
on the RH 7.0 build, which I don't have.)
Of course, this is just one reason why SGID man is bad.
GID man allows a race condition for root via
/etc/cron.daily/makewhatis and /sbin/makwhatis
Yes, due to their security fix. I haven't seen this mentioned before
(but I'm not using this broken fix, anyway).
where /var/cache/man is writable by group man. :-(
The makewhatis patch we have in Owl (http://www.openwall.com/Owl/) is
The section list overflow bug you mention isn't a security problem on
Owl for obvious reasons, but is on my TODO for fixing (has been there
since the security-audit discussion).