Sunday, May 13, 2001, 10:07:34 PM, zenith napisa³(a): > ======================================================== > Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default > package) and earlier. > ========================================================= > Heap Based Overflow of man via -S option gives GID man. > Due to a slight error in a length check, the -S option to > man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code. > man -S `perl -e 'print ":" x 100'` Confirmed: $ man -S `perl -e 'print ":" x 100'` sometext Segmentation fault > Will cause a seg fault if you are vulnerable. > It is possible to insert a pointer into a linked list that will allow > overwriting of any value in memory that is followed by 4 null > characters (a null pointer). one such memory location is the last > entry on the GOT (global offset table). When another item is added to > the linked list, the address of the data (a filename) is inserted over > the last value, effectively redefining the function to the code > represented by the filename. > Putting shellcode in the filename allows execution of arbitrary code > when the function referred to is called. > Redhat have be contacted, and will be releasing an errata soon. > GID man allows a race condition for root via > /etc/cron.daily/makewhatis and /sbin/makwhatis My 'man' executable comes from default installation of RH 7.0. -- pozdrawiam | Sylwester Zarêbski | | e-mail: sylwekat_private | | ICQ uin: #45780888 | | Administrator TORNET.PL |
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 01:29:28 PDT