Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]

[Sylwester "Zarêbski" <sylwek () tornet pl>]

Sunday, May 13, 2001, 10:07:34 PM, zenith napisa³(a):

> ========================================================
> Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
> package) and earlier.
> =========================================================

> Heap Based Overflow of man via -S option gives GID man.
> Due to a slight error in a length check, the -S option to
> man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.

> man -S `perl -e 'print ":" x 100'`

Confirmed:

$ man -S `perl -e 'print ":" x 100'` sometext
Segmentation fault

> Will cause a seg fault if you are vulnerable.

> It is possible to insert a pointer into a linked list that will allow
> overwriting of any value in memory that is followed by 4 null
> characters (a null pointer). one such memory location is the last
> entry on the GOT (global offset table). When another item is added to
> the linked list, the address of the data (a filename) is inserted over
> the last value, effectively redefining the function to the code
> represented by the filename.

> Putting shellcode in the filename allows execution of arbitrary code
> when the function referred to is called.

> Redhat have be contacted, and will be releasing an errata soon.

> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis

My 'man' executable comes from default installation of RH 7.0.

-- 
pozdrawiam

|      Sylwester Zarêbski      |
|   e-mail: sylwek () tornet pl   |
|      ICQ uin: #45780888      |
|   Administrator TORNET.PL    |