man, i security hole

Bartosz Waszak waszi w pld.org.pl
Nie, 5 Mar 2000, 16:29:08 CET 

Michał Zalewski poinformowal jakiś czas temu o błędzie w man - gdy
chodzi sgidem.

[..] CIACH

Message-ID:   <Pine.LNX.4.21.9402261301190.12075-100000 w dione.ids.pl>
Date:         Sat, 26 Feb 1994 13:48:35 +0100
From:         Michal Zalewski <lcamtuf w DIONE.IDS.PL>
Subject:      man bugs might lead to root compromise (RH 6.1 and other boxes)
To:           BUGTRAQ w SECURITYFOCUS.COM


With most of Linux distributions, /usr/bin/man is shipped as setgid man.
This setgid bit is required to build formatted manpages in /var/catman for
faster access. Unfortunately, man does almost everything via system()
calls, where parameters are user-dependent, and almost always it's
sprintf'ed before to fixed size buffers. It's kinda trivial to gain man
privledges, using buffer overflows in enviromental variables. For example,
by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get
SEGV:

$ MANPAGER=3D`perl -e '{print "A"x4000}'` man ls

[...]

1200  setuid(500)                       =3D 0
1200  setgid(15)                        =3D 0
1200  open("/usr/share/locale/pl/man", O_RDONLY) =3D -1 ENOENT (No such fil=
e or directory)
1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) =3D -1 ENOENT =
(No such file or directory)1200  open("/usr/share/locale/pl/man", O_RDONLY)=
 =3D -1 ENOENT (No such file or directory)
1200  open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) =3D -1 ENOENT =
(No such file or directory)1200  close(-1)                         =3D -1 E=
BADF (Bad file descriptor)
1200  write(2, "Error executing formatting or display command.\nSystem comm=
and (cd /usr/man ; (echo
1200  --- SIGSEGV (Naruszenie ochrony pami=EAci) ---
1200  +++ killed by SIGSEGV +++

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

As you can see, SEGV occours when we're at privledged level (after setgid
man) and is trivially exploitable (generic stack overflow). What then? We
have 'man' privledges and write access to /var/catman directory tree (less
interesting, can be used to mess around with man output), and, usually, to
some /usr/man files (it shouldn't be possible, but some compilers, like
cpp, and programs like fetchmail, for some reasons have g+w manpages on
many systems). Days ago, Pawel Wilk described possible vulnerability in
manpage processing - execution of arbitrary code when evil manpage is
being browsed... Sample manpage is available at:

ftp://dione.ids.pl/people/siewca/security/man/mkroot.9

So, if you have write access to some manpages, and root uses man, there's
a chance to gain root privledges. If not, only lusers are affected.

I have no information on other Unices, except for *BSD, where it seems to
be patched days ago, and SunOS, which seems to be vulnerable, but isn't
setuid/setgid (am I right? only one system tested).

Solution: remove sgid bit from /usr/bin/man (it will be no longer creating
preformatted manpages in /var/catman), or rewrite major portions of 'man'
code.

[..] CIACH

Nasz man też jest na to podatny. Dobrze było się pozbyć +s dla man'a

PS. Kloczek jak tam twój man nowej generacji z parserem docbooka.

-- 
-=[   Bartosz Waszak   ]--[                                                ]=-
-=[  waszi w pld.org.pl  ]==[ It is easier to fix Unix than to live with NT. ]=-
-=[ Linux User #153066 ]--[                                                ]=-
-------------- następna część ---------
Załącznik, który nie był tekstem został usunięty...
Name: nie znany
Type: application/pgp-signature
Size: 240 bytes
Desc: nie znany
Url : /mailman/pipermail/pld-devel-pl/attachments/20040626/f94077ab/attachment.bin

Więcej informacji o liście dyskusyjnej pld-devel-pl