Re: RH7.0: man local gid 15 (man) exploit

[solar () openwall com]

On Sun, May 13, 2001 at 08:07:34PM -0000, zenith parsec wrote:
> man -S `perl -e 'print ":" x 100'`
>
> Will cause a seg fault if you are vulnerable.

This and several other man vulnerabilities have been discussed on
security-audit last year.  See:

MARC: thrd 'Multiple man vulnerabilities with Red Hat Linux 6.2'
http://marc.theaimsgroup.com/?t=97096128600001&w=2&r=1

MARC: thrd 'More fun with man 1.5h1'
http://marc.theaimsgroup.com/?t=97135295400001&w=2&r=1

I don't think your analysis of the possibilities to exploit this is
entirely correct.  The buffer is in the bss, not on the heap.  In fact,
the builds of man-1.5h1 I have here won't even segfault on the command
you mention, not even when given 400 colons -- but they do misbehave in
other ways.  (I am willing to believe that this really is exploitable
on the RH 7.0 build, which I don't have.)

Of course, this is just one reason why SGID man is bad.

> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis

Yes, due to their security fix.  I haven't seen this mentioned before
(but I'm not using this broken fix, anyway).

-TMPFILE=$HOME/whatis$$
-TMPFILEDIR=/tmp/whatis$$
+TMPFILE=/var/cache/man/whatis$$
+TMPFILEDIR=/var/cache/man/whatis$$

where /var/cache/man is writable by group man. :-(

The makewhatis patch we have in Owl (http://www.openwall.com/Owl/) is
attached.

The section list overflow bug you mention isn't a security problem on
Owl for obvious reasons, but is on my TODO for fixing (has been there
since the security-audit discussion).

-- 
/sd

Attachment: man-1.5h1-owl-makewhatis.diff
Description: