Date: Sun, 27 Feb 2000 23:48:09 -0500
From: Mark Whitis <[email protected]>
To: [email protected]Subject: Re: man bugs might lead to root compromise (RH 6.1 and other boxes)
On Sat, 26 Feb 1994, Michal Zalewski wrote:
> With most of Linux distributions, /usr/bin/man is shipped as setgid man.
> This setgid bit is required to build formatted manpages in /var/catman for
> faster access. Unfortunately, man does almost everything via system()
> calls, where parameters are user-dependent, and almost always it's
> sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
> privledges, using buffer overflows in enviromental variables. For example,
> by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
> SEGV:
This might be a side effect of the fix for another security hole.
IIRC, /var/catman/ was world writable allowing for all kinds of symlink
games which would allow ordinary users to do some things as root
(like clobbering files) by laying a trap in /var/catman/ and waiting
for root to run man.
Exploiting this buffer overflow bug to gain man priveledges would then
allow you to exploit the previous bugs as well if root runs "man"
(or possibly the priveledges of any user who runs man).
If you need to run man as root, consider:
su nobody -c "man ls" # assumes shell is /bin/bash
Or just switch to another console or window.
The man program was never designed to be secure but having a shared
manpage cache requires man to be secure. If you disable man page caching,
you should be able to run man without setgid.
---------------------------------------------------------------------------
--- Mark Whitis <[email protected]> WWW: http://www.dbd.com/~whitis/ ---
---------------------------------------------------------------------------
