This advisory is also stored, along with the exploits at http://generic.labs.pulltheplug.com/zen/ as man.txt ====================================================================== Local root from /usr/bin/man + /etc/cron.daily/makewhatis.cron Redhat 7.0 Redhat 7.1 (on other distributions it may also allow enhanced privileges) ====================================================================== Affects: (root on these systems) //==============================================\\ || RedHat man-1.5h1-10 || || default for Redhat 7.0 (pre-update) || >>==============================================<< || RedHat man-1.5i-4 || || 1st security update for Redhat 7.0 || || (also affects Redhat 7.1) || \\==============================================// NB: This is a bug in the man package, not the man-db package. ====================================================================== * * W A R N I N G * * Multiple versions of man are affected. The version numbers given are RedHat rpm version numbers. Just because a version is not listed here, it does not mean it is not vulnerable. The main problem, which allows root is in the /usr/sbin/makewhatis file. If there is no checking for shell metacharacters in files being used as arguments, it is possible there is a problem. ====================================================================== man-1.5h1 man -S `perl -e 'print ":" x 100'` ls will cause a Segmentation fault error, due to incorrect bounds checking in the array used to hold the section list. Stored after the tmp_section_list structure are the heads of a couple of linked lists, cat_list and man_list, which holds the names of the files already shown. By using a pointer to strcpy() (the last entry in the GOT) as the 'next' pointer, it is possible to overwrite the address of the library function 'strcpy' with a newly malloc()ed string containing the name of the file just viewed. The string will then be executed instead of strcpy. (strcpy() is used, because it contains a NULL after it in the GOT, which looks to man to mean "This is the tail of the linked list", and because it gets called at the appropriate time.) Exploiting this gives you gid man. (Elevation of gid man -> root dealt with after the next section) [I forgot the filename argument in the original post. Sorry.] ====================================================================== man-1.5i-4 This version does not have the -S problem. It does how ever have an overflow in the handling of .so (sourced) man pages. If a manpage has .so something as the first line, ultimate_source() attempts to find the file refered to by the something. If it is compressed, it uses my_popen(), a wrapped version of popen() that drops privs to the users, to read the contents, and check that file for a .so line as well. Under certain circumstances the filename will increase in length. As there is no checking for the existance of the file other than the return value from the popen() call, it is possible, by embedding shell metacharacters in the filename to be opened to trick it into thinking it succeeded. The same commands that fool it into thinking it succeeded can return the next file to look at name. This can be done several times, until the overflow has reached the desired point. (ultname is 8192 bytes long, but due to the layout of the variables in memory, it needs an overflow of more than double that in order to affect yhe list structure used in the previous exploit, which is what my exploit does.) Successful exploitation will result in gid man. ====================================================================== /usr/sbin/makewhatis ... function readline() { if (use_zcat) { result = (pipe_cmd | getline); if (result < 0) { print "Pipe error: " pipe_cmd " " ERRNO > "/dev/stderr"; } ... if (use_zcat) { pipe_cmd = "zcat " filename; ... Imagine a file called: "ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;gimmeroot;echo .1.gz" ====================================================================== example exploits: - http://generic.labs.pulltheplug.com/zen/ These files may or may not require tweaking to get working. man-1.5h1-10-root-exploit.tar.gz man-1.5i-4-root-exploit.tar.gz This is the exploit for minicom-1.83.1-4. It is included here because it gains root via the makewhatis metachar bug, helped by the use of /var/lock/makewhatis.lock in a gid uucp writable directory. minicom-root-exploit.tar.gz ====================================================================== more information: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=19351 MANSECT and -S overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=40400 man 1.5h1-10 has an exploitable overflow https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805 root from gid man https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450 man-1.5i-4: local->gid man-> root in update http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43213 Man didn't drop privs when adding user PATH as MANPATH (related 'feature', arbitrary commands by user invoking man) ====================================================================== --zen-parse Mon Jun 4 23:17:50 NZST 2001 ** Most of the exploit tweaking involves details covered here, or the set up of programs for the exploits to work with.
This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 09:19:59 PDT