man/man-db MANPATH bugs exploit

["Luki R ." <luki () karet org>]

Hi,

In some conditions, man allow user's PATH env. to be inserted as manpath.
Man then use manpath value for searching directories contain manpages.
This is ok until man forgot to drop privilledges when creating cat pages
cache files using user's supplied PATH.

I've successfully try this on 2 different man system, debian's and redhat's.
Yes, this is not a new bugs since debian hax fixed it on man-db 2.3.18-6 
in unstable (hi Colin Watson :)) and 2.3.16-4.
and for redhat see redhat's bugzilla  #43213
Sorry if this is already mentioned before.

Attached is a complete proof of concept exploit script for 
redhat7.1 and Debian2.2. for your convenience.

I just want to say that the impact is not only creating files owned by man
uid/gid but combined with symlinks and other tricks, the results are:

[1] On debian's man-db (<= 2.3.17-3.2, 2.3.16-3):
    instant user 'man' setuid shell
    (as user 'man' you may do something tricky to be root)
[2] On RedHat's man (<= man-1.5h1-20):
    (trivial) executing any binary, ie. to make any user's suidshell,
    including root

However, to produce a succesfull exploit we must met the conditions:
- man system that write catpages cache [1] & [2]
- suid / sgid man binaries [1] & [2] (to be able to write to cache dirs)
- there is a command which have no manpages (coz we will create it ;p ) [2]
- victim user must then executed 'man <command with no manpage>' [2]


see the exploits for details.


Have a nice day,

[----- jenggo (luki () karet org) -----]


PS:
(halo, ada yg tertarik untuk ngulik supaya jadi root di redhat ? ;P)

trully greets to: echo, mayonaise and others @ #karet
                  Mr.gus, mega, amien, akbar ...damai, damai

Attachment: mandebian.sh
Description:

Attachment: manredhat.sh
Description: