Bugtraq mailing list archives
Re: RH7.0: man local gid 15 (man) exploit
From: solar () openwall com
Date: Tue, 15 May 2001 05:00:28 +0400
On Sun, May 13, 2001 at 08:07:34PM -0000, zenith parsec wrote:
man -S `perl -e 'print ":" x 100'` Will cause a seg fault if you are vulnerable.
This and several other man vulnerabilities have been discussed on security-audit last year. See: MARC: thrd 'Multiple man vulnerabilities with Red Hat Linux 6.2' http://marc.theaimsgroup.com/?t=97096128600001&w=2&r=1 MARC: thrd 'More fun with man 1.5h1' http://marc.theaimsgroup.com/?t=97135295400001&w=2&r=1 I don't think your analysis of the possibilities to exploit this is entirely correct. The buffer is in the bss, not on the heap. In fact, the builds of man-1.5h1 I have here won't even segfault on the command you mention, not even when given 400 colons -- but they do misbehave in other ways. (I am willing to believe that this really is exploitable on the RH 7.0 build, which I don't have.) Of course, this is just one reason why SGID man is bad.
GID man allows a race condition for root via /etc/cron.daily/makewhatis and /sbin/makwhatis
Yes, due to their security fix. I haven't seen this mentioned before (but I'm not using this broken fix, anyway). -TMPFILE=$HOME/whatis$$ -TMPFILEDIR=/tmp/whatis$$ +TMPFILE=/var/cache/man/whatis$$ +TMPFILEDIR=/var/cache/man/whatis$$ where /var/cache/man is writable by group man. :-( The makewhatis patch we have in Owl (http://www.openwall.com/Owl/) is attached. The section list overflow bug you mention isn't a security problem on Owl for obvious reasons, but is on my TODO for fixing (has been there since the security-audit discussion). -- /sd
Attachment:
man-1.5h1-owl-makewhatis.diff
Description:
Current thread:
- Re: RH7.0: man local gid 15 (man) exploit Olaf Kirch (May 15)
- <Possible follow-ups>
- Re: RH7.0: man local gid 15 (man) exploit solar (May 15)
- Re: RH7.0: man local gid 15 (man) exploit Colin Watson (May 16)
- Re: RH7.0: man local gid 15 (man) exploit aleph1 (May 16)
- Re: RH7.0: man local gid 15 (man) exploit Stephen Shirley (May 16)
- Re: RH7.0: man local gid 15 (man) exploit PJ (May 17)