Bugtraq mailing list archives
Re: man problem
From: zen () TROUBLE ORG (d)
Date: Wed, 24 Dec 1997 15:34:46 -0800
I just noticed a problem with the man system (version 2.3.10) on my Linux box: /usr/man contains the .gz'd man pages:
[...]
When I execute man, a temporary file containing the un-zipped manpage is created in /tmp. The name of the tmp-file usually is "zman<PID>aaa", e.g. "zman10849aaa". This can be exploited with a simple symlink attack:
Pretty much the same with unformatted 'roff pages on unix (at least with my suns around here; I assume others mostly do the same), with variously different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc. Another reason to use catman, I guess. What a neat little trick. I never thought man would be a security hole. -- d
Current thread:
- Re: man problem d (Dec 24)
- Re: man problem Rick Byers (Dec 26)
- q1/q2 remote crash attacks Ambrose Feinstein (Dec 26)
- More details about gzip... Micha? Zalewski (Dec 27)
- A security-related bug in RPM Savochkin Andrey Vladimirovich (Dec 27)
- Re: man problem Olaf Kirch (Dec 30)