On Sun, May 13, 2001 at 08:07:34PM -0000, zenith parsec wrote: > man -S `perl -e 'print ":" x 100'` > > Will cause a seg fault if you are vulnerable. This and several other man vulnerabilities have been discussed on security-audit last year. See: MARC: thrd 'Multiple man vulnerabilities with Red Hat Linux 6.2' http://marc.theaimsgroup.com/?t=97096128600001&w=2&r=1 MARC: thrd 'More fun with man 1.5h1' http://marc.theaimsgroup.com/?t=97135295400001&w=2&r=1 I don't think your analysis of the possibilities to exploit this is entirely correct. The buffer is in the bss, not on the heap. In fact, the builds of man-1.5h1 I have here won't even segfault on the command you mention, not even when given 400 colons -- but they do misbehave in other ways. (I am willing to believe that this really is exploitable on the RH 7.0 build, which I don't have.) Of course, this is just one reason why SGID man is bad. > GID man allows a race condition for root via > /etc/cron.daily/makewhatis and /sbin/makwhatis Yes, due to their security fix. I haven't seen this mentioned before (but I'm not using this broken fix, anyway). -TMPFILE=$HOME/whatis$$ -TMPFILEDIR=/tmp/whatis$$ +TMPFILE=/var/cache/man/whatis$$ +TMPFILEDIR=/var/cache/man/whatis$$ where /var/cache/man is writable by group man. :-( The makewhatis patch we have in Owl (http://www.openwall.com/Owl/) is attached. The section list overflow bug you mention isn't a security problem on Owl for obvious reasons, but is on my TODO for fixing (has been there since the security-audit discussion). -- /sd
This archive was generated by hypermail 2b30 : Tue May 15 2001 - 04:04:08 PDT