6608173 2001-06-12 00:40 +1200 /158 rader/ <zen-parse@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-11 18:25 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17362>
Ärende: man 1.5h10 + man 1.5i-4 exploits
------------------------------------------------------------
From: <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0106120035330.16897-100000@clarity.local>
This advisory is also stored, along with the exploits at
http://generic.labs.pulltheplug.com/zen/
as man.txt
======================================================================
Local root from /usr/bin/man + /etc/cron.daily/makewhatis.cron
Redhat 7.0
Redhat 7.1
(on other distributions it may also allow enhanced privileges)
======================================================================
Affects: (root on these systems)
//==============================================\\
|| RedHat man-1.5h1-10 ||
|| default for Redhat 7.0 (pre-update) ||
>>==============================================<<
|| RedHat man-1.5i-4 ||
|| 1st security update for Redhat 7.0 ||
|| (also affects Redhat 7.1) ||
\\==============================================//
NB: This is a bug in the man package, not the man-db package.
======================================================================
* * W A R N I N G * *
Multiple versions of man are affected. The version numbers given are
RedHat rpm version numbers. Just because a version is not listed
here, it does not mean it is not vulnerable. The main problem, which
allows root is in the /usr/sbin/makewhatis file. If there is no
checking for shell metacharacters in files being used as arguments,
it is possible there is a problem.
======================================================================
man-1.5h1
man -S `perl -e 'print ":" x 100'` ls
will cause a Segmentation fault error, due to incorrect bounds
checking in the array used to hold the section list.
Stored after the tmp_section_list structure are the heads of a couple
of linked lists, cat_list and man_list, which holds the names of the
files already shown.
By using a pointer to strcpy() (the last entry in the GOT) as the
'next' pointer, it is possible to overwrite the address of the
library function 'strcpy' with a newly malloc()ed string containing
the name of the file just viewed. The string will then be executed
instead of strcpy.
(strcpy() is used, because it contains a NULL after it in the GOT,
which looks to man to mean "This is the tail of the linked list", and
because it gets called at the appropriate time.)
Exploiting this gives you gid man.
(Elevation of gid man -> root dealt with after the next section)
[I forgot the filename argument in the original post. Sorry.]
======================================================================
man-1.5i-4
This version does not have the -S problem.
It does how ever have an overflow in the handling of .so (sourced)
man pages.
If a manpage has
.so something
as the first line, ultimate_source() attempts to find the file
refered to by the something.
If it is compressed, it uses my_popen(), a wrapped version of popen()
that drops privs to the users, to read the contents, and check that
file for a .so line as well. Under certain circumstances the filename
will increase in length.
As there is no checking for the existance of the file other than the
return value from the popen() call, it is possible, by embedding
shell metacharacters in the filename to be opened to trick it into
thinking it succeeded.
The same commands that fool it into thinking it succeeded can return
the next file to look at name. This can be done several times, until
the overflow has reached the desired point. (ultname is 8192 bytes
long, but due to the layout of the variables in memory, it needs an
overflow of more than double that in order to affect yhe list
structure used in the previous exploit, which is what my exploit
does.)
Successful exploitation will result in gid man.
======================================================================
/usr/sbin/makewhatis
...
function readline() {
if (use_zcat) {
result = (pipe_cmd | getline);
if (result < 0) {
print "Pipe error: " pipe_cmd " " ERRNO > "/dev/stderr";
}
...
if (use_zcat) {
pipe_cmd = "zcat " filename;
...
Imagine a file called: "ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd
..;cd tmp;export PATH=.;gimmeroot;echo .1.gz"
======================================================================
example exploits: - http://generic.labs.pulltheplug.com/zen/
These files may or may not require tweaking to get working.
man-1.5h1-10-root-exploit.tar.gz
man-1.5i-4-root-exploit.tar.gz
This is the exploit for minicom-1.83.1-4. It is included here because
it gains root via the makewhatis metachar bug, helped by the use of
/var/lock/makewhatis.lock in a gid uucp writable directory.
minicom-root-exploit.tar.gz
======================================================================
more information:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=19351
MANSECT and -S overflow
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=40400
man 1.5h1-10 has an exploitable overflow
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805
root from gid man
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450
man-1.5i-4: local->gid man-> root in update
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43213
Man didn't drop privs when adding user PATH as MANPATH
(related 'feature', arbitrary commands by user invoking man)
======================================================================
--zen-parse
Mon Jun 4 23:17:50 NZST 2001
** Most of the exploit tweaking involves details covered here, or the
set up of programs for the exploits to work with.
(6608173) / <zen-parse@gmx.net>/----------(Ombruten)