Re: man problem

From: d (zenat_private)
Date: Wed Dec 24 1997 - 15:34:46 PST

Next message: Michał Zalewski: "Gzip & segmentation faults"

Previous message: Thomas Fischbacher: "man problem"
Maybe in reply to: Thomas Fischbacher: "man problem"
Next in thread: fluffyat_private: "Re: man problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I just noticed a problem with the man system (version 2.3.10) on my Linux
> box: /usr/man contains the .gz'd man pages:
[...]
> When I execute man, a temporary file containing the un-zipped manpage is
> created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
> e.g. "zman10849aaa". This can be exploited with a simple symlink attack:

Pretty much the same with unformatted 'roff pages on unix (at least with
my suns around here; I assume others mostly do the same), with variously
different filenames; sunos uses /tmp/man{pid}, solaris /tmp/mpa+cruft, etc.
Another reason to use catman, I guess.

What a neat little trick.  I never thought man would be a security hole.

-- d

Next message: Michał Zalewski: "Gzip & segmentation faults"
Previous message: Thomas Fischbacher: "man problem"
Maybe in reply to: Thomas Fischbacher: "man problem"
Next in thread: fluffyat_private: "Re: man problem"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:27 PDT