Red Hat Bugzilla – Bug 103439
buffer overflow in man... sgid man exploit
Last modified: 2007-04-18 12:57:16 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225 Description of problem: see: http://bugs.gentoo.org/show_bug.cgi?id=13686 [kf@vegeta kf]$ cat /etc/redhat-release Red Hat Linux release 9 (Shrike) [kf@vegeta kf]$ rpm -q groff man groff-1.18.1-20 man-1.5k-6 [kf@vegeta kf]$ export MANPL=`perl -e 'print "A" x 17000'` [kf@vegeta kf]$ man id Segmentation fault I have not yet modified the exploit to work on redhat 9... from above you can tell it SHOULD be vulnerable... at one point in time this was patched... similar to what I have on my immunix box: [root@Immunity root]# cat /etc/immunix-release Immunix Linux release 7.0-Plus (Zeno) [root@Immunity root]# man -v man, version 1.5i1 [root@Immunity root]# export MANPL=`perl -e 'print "A" x 9000'` [root@Immunity root]# man id ERROR: Environment variable MANPL too long! (this exploit is crafted for an older version) [root@vegeta kf]# head -n 27 0x82-man_ag.c /* ** ** Man command /usr/bin/man MANPL environment buffer overflow exploit ** Target package: man-1.5g-6kr ** ** Thank to KF, he found this vulnerability. ** This code did exploit in RedHat Korean Linux default. ** ** The following is as result that `man-1.5g-6kr.rpm package' ** executes exploit in system that is installed. ** ** [x82@inetcop /tmp]$ ./0x82-man_ag ** ** 0x82-man_ag MANPL environment local man exploit ** ** [+] Input `q' !! ** ** WARNING: terminal is not fully functional ** - (press RETURN)<standard input>:1: warning: numeric expression expected (got `..) ** qDetermining length of file... (interrupt to abort) ** ** Congratulates~!! You it sees this messages, ** Your gid: man ** ** uid=501(x82) gid=15(man) groups=501(x82),500(secure) ** bash$ ** Version-Release number of selected component (if applicable): man-1.5k-6 How reproducible: Sometimes Steps to Reproduce: See above... see: http://bugs.gentoo.org/show_bug.cgi?id=13686 groff may affect exploitability however this is not confirmed. Actual Results: I got a gid man shell. Expected Results: I expected to see a man page. =] Additional info: see: http://bugs.gentoo.org/show_bug.cgi?id=13686 groff may affect results.
It turns out that they left out an older patch... probably cuz its not suid any more... sorry did not notice that... may want to verify older versions though. http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/sys-apps/man/files/man-1.5k-redhat-patches.patch man-1.5k-6.src.rpm [kf@vegeta kf]$ ls /usr/src/redhat/SOURCES/ makewhatis.crondaily man-1.5j-nocache.patch makewhatis.cronweekly man-1.5j-packaging.patch man-1.5h1-gencat.patch man-1.5j-quoting.patch man-1.5h1-make.patch man-1.5j-segv.patch man-1.5i2-initial.patch man-1.5j-unsafe.patch man-1.5i2-legacy.patch man-1.5j-utf8.patch man-1.5i2-newline.patch man-1.5k-confpath.patch man-1.5i2-overflow.patch man-1.5k-korean.patch man-1.5i-oldwhatis.patch man-1.5k-localshare.patch man-1.5i-ro-usr.patch man-1.5k-lookon.patch man-1.5j-argcat.patch man-1.5k-nonascii.patch man-1.5j-bug11621.patch man-1.5k-sanitycheck.patch man-1.5j-buildroot.patch man-1.5k-security.patch man-1.5j-devtty.patch man-1.5k-sofix.patch man-1.5j-mandirs.patch man-1.5k.tar.bz2
which left out patch are you referring to? if it was security related, it shouldn't be taken out... even if the patch is for a theoretical case that doesn't exist on real RHL boxes (sgid man, for example)
This is the patch that was left out. http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/sys-apps/man/files/man-1.5k-redhat-patches.patch in particular this section: +#define CHECK(p, l) s=getenv(p); if(s && (strlen(s)>l)) { fprintf(stderr, "ERROR: Environment variable %s too long!\n", p); exit(1); } ... + CHECK("MANPL", 128); man-1.5k-6.src.rpm [kf@vegeta SOURCES]$ grep MANPL . -r (nothing) Thanks.
Removing security status, man is not setuid/setgid in Red Hat Linux
man now up to 1.5m2, which doesn't have this theoretical exploit (and man-1.5m2-1 isn't setguid either)