Bug 103439 - buffer overflow in man... sgid man exploit
Summary: buffer overflow in man... sgid man exploit
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: man
Version: 9
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Eido Inoue
QA Contact: Ben Levenson
URL: http://bugs.gentoo.org/show_bug.cgi?i...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-08-30 15:11 UTC by KF
Modified: 2007-04-18 16:57 UTC (History)
0 users

Fixed In Version: 1.5m2-1
Clone Of:
Environment:
Last Closed: 2004-01-27 00:45:52 UTC
Embargoed:


Attachments (Terms of Use)

Description KF 2003-08-30 15:11:14 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
see: http://bugs.gentoo.org/show_bug.cgi?id=13686

[kf@vegeta kf]$ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
[kf@vegeta kf]$ rpm -q groff man
groff-1.18.1-20
man-1.5k-6
[kf@vegeta kf]$ export MANPL=`perl -e 'print "A" x 17000'`
[kf@vegeta kf]$ man id
Segmentation fault

I have not yet modified the exploit to work on redhat 9... from above you can
tell it SHOULD be vulnerable... 

at one point in time this was patched... similar to what I have on my immunix box: 

[root@Immunity root]# cat /etc/immunix-release
Immunix Linux release 7.0-Plus (Zeno)
[root@Immunity root]# man -v
man, version 1.5i1

[root@Immunity root]# export MANPL=`perl -e 'print "A" x 9000'`
[root@Immunity root]# man id
ERROR: Environment variable MANPL too long!

(this exploit is crafted for an older version) 
[root@vegeta kf]# head -n 27  0x82-man_ag.c
/*
**
** Man command /usr/bin/man MANPL environment buffer overflow exploit
** Target package: man-1.5g-6kr
**
** Thank to KF, he found this vulnerability.
** This code did exploit in RedHat Korean Linux default.
**
** The following is as result that `man-1.5g-6kr.rpm package'
** executes exploit in system that is installed.
**
** [x82@inetcop /tmp]$ ./0x82-man_ag
**
**  0x82-man_ag MANPL environment local man exploit
**
**  [+] Input `q' !!
**
** WARNING: terminal is not fully functional
** -  (press RETURN)<standard input>:1: warning: numeric expression expected
(got `..)
** qDetermining length of file... (interrupt to abort)
**
** Congratulates~!! You it sees this messages,
** Your gid: man
**
** uid=501(x82) gid=15(man) groups=501(x82),500(secure)
** bash$
**


Version-Release number of selected component (if applicable):
man-1.5k-6

How reproducible:
Sometimes

Steps to Reproduce:
See above... see: http://bugs.gentoo.org/show_bug.cgi?id=13686

groff may affect exploitability however this is not confirmed. 

Actual Results:  I got a gid man shell. 

Expected Results:  I expected to see a man page. =] 

Additional info:

see: http://bugs.gentoo.org/show_bug.cgi?id=13686

groff may affect results.

Comment 1 KF 2003-08-30 15:43:51 UTC
It turns out that they left out an older patch... probably cuz its not suid any
more... sorry did not notice that... may want to verify older versions though. 

http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/sys-apps/man/files/man-1.5k-redhat-patches.patch

man-1.5k-6.src.rpm
[kf@vegeta kf]$ ls /usr/src/redhat/SOURCES/
makewhatis.crondaily      man-1.5j-nocache.patch
makewhatis.cronweekly     man-1.5j-packaging.patch
man-1.5h1-gencat.patch    man-1.5j-quoting.patch
man-1.5h1-make.patch      man-1.5j-segv.patch
man-1.5i2-initial.patch   man-1.5j-unsafe.patch
man-1.5i2-legacy.patch    man-1.5j-utf8.patch
man-1.5i2-newline.patch   man-1.5k-confpath.patch
man-1.5i2-overflow.patch  man-1.5k-korean.patch
man-1.5i-oldwhatis.patch  man-1.5k-localshare.patch
man-1.5i-ro-usr.patch     man-1.5k-lookon.patch
man-1.5j-argcat.patch     man-1.5k-nonascii.patch
man-1.5j-bug11621.patch   man-1.5k-sanitycheck.patch
man-1.5j-buildroot.patch  man-1.5k-security.patch
man-1.5j-devtty.patch     man-1.5k-sofix.patch
man-1.5j-mandirs.patch    man-1.5k.tar.bz2


Comment 2 Eido Inoue 2003-09-02 20:23:18 UTC
which left out patch are you referring to? if it was security related, it
shouldn't be taken out... even if the patch is for a theoretical case that
doesn't exist on real RHL boxes (sgid man, for example)

Comment 3 KF 2003-09-02 22:38:07 UTC
This is the patch that was left out. 

http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/sys-apps/man/files/man-1.5k-redhat-patches.patch

in particular this section:

+#define CHECK(p, l) s=getenv(p); if(s && (strlen(s)>l)) { fprintf(stderr,
"ERROR: Environment variable %s too long!\n", p); exit(1); }
...
+     CHECK("MANPL", 128);

man-1.5k-6.src.rpm

[kf@vegeta SOURCES]$ grep MANPL . -r
(nothing) 

Thanks. 


Comment 4 Mark J. Cox 2003-09-09 15:19:19 UTC
Removing security status, man is not setuid/setgid in Red Hat Linux

Comment 5 Eido Inoue 2004-01-27 00:45:52 UTC
man now up to 1.5m2, which doesn't have this theoretical exploit (and
man-1.5m2-1 isn't setguid either)


Note You need to log in before you can comment on or make changes to this bug.