linux, säkerhet

6504316 2001-05-15 20:16 +0100  /35 rader/ Colin Watson <cjwatson@debian.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-16  14:48  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17029>
Kommentar till text 6491924 av zenith parsec <zenith_parsec@the-astronaut.com>
Ärende: Re: RH7.0: man local gid 15 (man) exploit
------------------------------------------------------------
From: Colin Watson <cjwatson@debian.org>
To: bugtraq@securityfocus.com
Message-ID: <20010515201614.C10988@riva.ucam.org>

In article <20010513200734.9834.qmail@fiver.freemessage.com>,
zenith_parsec@the-astronaut.com wrote:
>========================================================
>Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
>package) and earlier.
>=========================================================
>Heap Based Overflow of man via -S option gives GID man.
>
>Due to a slight error in a length check, the -S option to
>man can cause a buffer overflow on the heap, allowing redirection of
>execution into user supplied code.
>
>man -S `perl -e 'print ":" x 100'`
>
>Will cause a seg fault if you are vulnerable.

With the name of a man page as an additional argument, the version of
man-db shipped with Debian GNU/Linux also segfaults here. I just
uploaded version 2.3.18-2 to Debian unstable which fixes this.

However, I believe that the code bases are different enough that a
segfault is as bad as it gets in man-db (the functions in question
are entirely different, and just happen to have the same failure
case). Feel free to prove me wrong.

Cheers,

-- 
Colin Watson                                     [cjw44@flatline.org.uk]
(6504316) /Colin Watson <cjwatson@debian.org>/(Ombruten)
6506180 2001-05-16 02:27 -0600  /81 rader/  <aleph1@securityfocus.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-16  18:38  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17038>
Ärende: Re: RH7.0: man local gid 15 (man) exploit
------------------------------------------------------------
From: aleph1@securityfocus.com
To: bugtraq@securityfocus.com
Message-ID: <20010516022718.A12303@securityfocus.com>

Summary of responses in this thread:

From: PJ <briareos@otherlands.net>

Doesn't work on Slackware 7.1

This is the result:

elvander:~$ man -S `perl -e 'print ":" x 100'`
What manual page do you want?
elvander:~$


From: Alvin Oga <alvin.sec@Mail.Linux-Consulting.com>

i have many patched rh-7.0 ( patched available on March 13, 2001 )

redhat:/usr/src# man -S `perl -e 'print ":" x 100'`
What manual page do you want?
-----------
redhat:/usr/src# cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.18-cdhs on an i586
redhat:/usr/src# man -v
man, version 1.5h
redhat:/usr/src# uname -a
Linux redhat 2.2.18-cdhs #5 SMP Wed Jan 31 05:23:44 PST 2001 i586 unknown

redhat's default kernel is 2.2.16-22


From: rcs <rasta@RSHELL.ORG>

Are you sure this has anything to do with heap or buffer overflow ?
man -S : man.page will also core dump (Suse btw).


From: Joris Roefs <jroefs@zedd.nl>

[jroefs@router jroefs]$ cat /etc/issue
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19 on an i586
[jroefs@router jroefs]$ man -S `perl -e 'print ":" x 100'`
What manual page do you want?

Seems that not all RedHat 7.0 installations are vulnerable.  This
installation is (except for the kernel, as you've propably noticed)
as standard as possible, with all existing errata yet to be installed.

Could it be that an other (updated) package is responsable for the
overflow?


From: Hugh Mc Gauran <hugh.mcgauran@skynet.ie>

confirmed as well on debian woody..


From: "Patrick P. Murphy" <pmurphy@NRAO.EDU>

Red Hat 7.1 with man-1.5h1-20 is not vulnerable.  Tried 100, 1000,
10000, 100000 with the response "what man page do you want?".  At a
million, it barfed "argument list too long".


From: poke <poke@silverlink.net>

Ugggghhhh, ignore my last post. Typo in my test case. I got the
segfault on a RH7.0 system as well.


-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
(6506180) / <aleph1@securityfocus.com>/---(Ombruten)
6507417 2001-05-16 18:06 +0100  /24 rader/ Stephen Shirley <diamond@skynet.ie>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-16  23:15  av Brevbäraren
Extern mottagare: Bugtraq Mailing List <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <17049>
Ärende: Re: RH7.0: man local gid 15 (man) exploit
------------------------------------------------------------
From: Stephen Shirley <diamond@skynet.ie>
To: Bugtraq Mailing List <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.32.0105161802130.26654-100000@skynet>

Hi,
	The info posted to get man to seg fault is slightly
incorrect. You need to supply some text as the name of a man page -
otherwise man will reject all input. The number of :'s is irrelevat
too - one is enough.

man -S : blah will cause a seg fault. This has been confirmed on
debian 2.2 woody, and I submitted a patch to fix it. The new version
is in unstable - ver 2.3.18-2. From the changelog of 2.3.18-2:

  * man would segfault if the argument to -S contained only colons, and
    incidentally treated an empty argument to -S wrongly. Both cases now
    use the standard list of sections instead (thanks, Colin Phipps and
    Stephen Shirley; closes: #97553, #97566).

Steve
-- 
"My mom had Windows at work and it hurt her eyes real bad"
(6507417) /Stephen Shirley <diamond@skynet.ie>/(Ombruten)
Kommentar i text 6508613 av PJ <briareos@otherlands.net>
6508613 2001-05-16 16:55 -0700  /52 rader/ PJ <briareos@otherlands.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-17  09:35  av Brevbäraren
Extern mottagare: Stephen Shirley <diamond@skynet.ie>
Extern kopiemottagare: Bugtraq Mailing List <bugtraq@securityfocus.com>
Externa svar till: briareos@otherlands.net
Mottagare: Bugtraq (import) <17058>
Kommentar till text 6507417 av Stephen Shirley <diamond@skynet.ie>
Ärende: Re: RH7.0: man local gid 15 (man) exploit
------------------------------------------------------------
From: PJ <briareos@otherlands.net>
To: Stephen Shirley <diamond@skynet.ie>
Cc: Bugtraq Mailing List <bugtraq@securityfocus.com>
Message-ID: <20010516165507.A32075@elvander.otherlands.net>

FYI, still doesn't work on Slackware 7.1

$ man -S : blah
No manual entry for blah
$

$ man -S
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
blah blah: nothing appropriate $

I have tried the other command to try to get man to segfault with a
supplied arguement, still nothing.  

$ man -S `perl -e 'print ":" x 100'` blah
No manual entry for blah
$

On Wed, 16 May 2001, Stephen Shirley wrote:

> Hi,
> 	The info posted to get man to seg fault is slightly incorrect. You
> need to supply some text as the name of a man page - otherwise man will
> reject all input. The number of :'s is irrelevat too - one is enough.
> 
> man -S : blah
> will cause a seg fault. This has been confirmed on debian 2.2 woody, and I
> submitted a patch to fix it. The new version is in unstable - ver
> 2.3.18-2. From the changelog of 2.3.18-2:
> 
>   * man would segfault if the argument to -S contained only colons, and
>     incidentally treated an empty argument to -S wrongly. Both cases now
>     use the standard list of sections instead (thanks, Colin Phipps and
>     Stephen Shirley; closes: #97553, #97566).
> 
> Steve
> -- 
> "My mom had Windows at work and it hurt her eyes real bad"
> 
> 
> 

PJ

--  My brain needs a new OS - it can't stay up for much longer than
24 hours without a reboot.
(6508613) /PJ <briareos@otherlands.net>/--(Ombruten)