Bug 103439 - buffer overflow in man... sgid man exploit
buffer overflow in man... sgid man exploit
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: man (Show other bugs)
9
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Eido Inoue
Ben Levenson
http://bugs.gentoo.org/show_bug.cgi?i...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-30 11:11 EDT by KF
Modified: 2007-04-18 12:57 EDT (History)
0 users

See Also:
Fixed In Version: 1.5m2-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-01-26 19:45:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description KF 2003-08-30 11:11:14 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
see: http://bugs.gentoo.org/show_bug.cgi?id=13686

[kf@vegeta kf]$ cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
[kf@vegeta kf]$ rpm -q groff man
groff-1.18.1-20
man-1.5k-6
[kf@vegeta kf]$ export MANPL=`perl -e 'print "A" x 17000'`
[kf@vegeta kf]$ man id
Segmentation fault

I have not yet modified the exploit to work on redhat 9... from above you can
tell it SHOULD be vulnerable... 

at one point in time this was patched... similar to what I have on my immunix box: 

[root@Immunity root]# cat /etc/immunix-release
Immunix Linux release 7.0-Plus (Zeno)
[root@Immunity root]# man -v
man, version 1.5i1

[root@Immunity root]# export MANPL=`perl -e 'print "A" x 9000'`
[root@Immunity root]# man id
ERROR: Environment variable MANPL too long!

(this exploit is crafted for an older version) 
[root@vegeta kf]# head -n 27  0x82-man_ag.c
/*
**
** Man command /usr/bin/man MANPL environment buffer overflow exploit
** Target package: man-1.5g-6kr
**
** Thank to KF, he found this vulnerability.
** This code did exploit in RedHat Korean Linux default.
**
** The following is as result that `man-1.5g-6kr.rpm package'
** executes exploit in system that is installed.
**
** [x82@inetcop /tmp]$ ./0x82-man_ag
**
**  0x82-man_ag MANPL environment local man exploit
**
**  [+] Input `q' !!
**
** WARNING: terminal is not fully functional
** -  (press RETURN)<standard input>:1: warning: numeric expression expected
(got `..)
** qDetermining length of file... (interrupt to abort)
**
** Congratulates~!! You it sees this messages,
** Your gid: man
**
** uid=501(x82) gid=15(man) groups=501(x82),500(secure)
** bash$
**


Version-Release number of selected component (if applicable):
man-1.5k-6

How reproducible:
Sometimes

Steps to Reproduce:
See above... see: http://bugs.gentoo.org/show_bug.cgi?id=13686

groff may affect exploitability however this is not confirmed. 

Actual Results:  I got a gid man shell. 

Expected Results:  I expected to see a man page. =] 

Additional info:

see: http://bugs.gentoo.org/show_bug.cgi?id=13686

groff may affect results.
Comment 1 KF 2003-08-30 11:43:51 EDT
It turns out that they left out an older patch... probably cuz its not suid any
more... sorry did not notice that... may want to verify older versions though. 

http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/sys-apps/man/files/man-1.5k-redhat-patches.patch

man-1.5k-6.src.rpm
[kf@vegeta kf]$ ls /usr/src/redhat/SOURCES/
makewhatis.crondaily      man-1.5j-nocache.patch
makewhatis.cronweekly     man-1.5j-packaging.patch
man-1.5h1-gencat.patch    man-1.5j-quoting.patch
man-1.5h1-make.patch      man-1.5j-segv.patch
man-1.5i2-initial.patch   man-1.5j-unsafe.patch
man-1.5i2-legacy.patch    man-1.5j-utf8.patch
man-1.5i2-newline.patch   man-1.5k-confpath.patch
man-1.5i2-overflow.patch  man-1.5k-korean.patch
man-1.5i-oldwhatis.patch  man-1.5k-localshare.patch
man-1.5i-ro-usr.patch     man-1.5k-lookon.patch
man-1.5j-argcat.patch     man-1.5k-nonascii.patch
man-1.5j-bug11621.patch   man-1.5k-sanitycheck.patch
man-1.5j-buildroot.patch  man-1.5k-security.patch
man-1.5j-devtty.patch     man-1.5k-sofix.patch
man-1.5j-mandirs.patch    man-1.5k.tar.bz2
Comment 2 Eido Inoue 2003-09-02 16:23:18 EDT
which left out patch are you referring to? if it was security related, it
shouldn't be taken out... even if the patch is for a theoretical case that
doesn't exist on real RHL boxes (sgid man, for example)
Comment 3 KF 2003-09-02 18:38:07 EDT
This is the patch that was left out. 

http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/sys-apps/man/files/man-1.5k-redhat-patches.patch

in particular this section:

+#define CHECK(p, l) s=getenv(p); if(s && (strlen(s)>l)) { fprintf(stderr,
"ERROR: Environment variable %s too long!\n", p); exit(1); }
...
+     CHECK("MANPL", 128);

man-1.5k-6.src.rpm

[kf@vegeta SOURCES]$ grep MANPL . -r
(nothing) 

Thanks. 
Comment 4 Mark J. Cox (Product Security) 2003-09-09 11:19:19 EDT
Removing security status, man is not setuid/setgid in Red Hat Linux
Comment 5 Eido Inoue 2004-01-26 19:45:52 EST
man now up to 1.5m2, which doesn't have this theoretical exploit (and
man-1.5m2-1 isn't setguid either)

Note You need to log in before you can comment on or make changes to this bug.