man 1.5h10 + man 1.5i-4 exploits
Date: Tue, 12 Jun 2001 00:40:51 +1200 (NZST)
From: zen-parse@gmx.net
To: bugtraq@securityfocus.com
Subject: man 1.5h10 + man 1.5i-4 exploits
This advisory is also stored, along with the exploits at
http://generic.labs.pulltheplug.com/zen/
as man.txt
======================================================================
Local root from /usr/bin/man + /etc/cron.daily/makewhatis.cron
Redhat 7.0
Redhat 7.1
(on other distributions it may also allow enhanced privileges)
======================================================================
Affects: (root on these systems)
//==============================================\\
|| RedHat man-1.5h1-10 ||
|| default for Redhat 7.0 (pre-update) ||
>>==============================================<<
|| RedHat man-1.5i-4 ||
|| 1st security update for Redhat 7.0 ||
|| (also affects Redhat 7.1) ||
\\==============================================//
NB: This is a bug in the man package, not the man-db package.
======================================================================
* * W A R N I N G * *
Multiple versions of man are affected. The version numbers given are
RedHat rpm version numbers. Just because a version is not listed here, it
does not mean it is not vulnerable. The main problem, which allows root
is in the /usr/sbin/makewhatis file. If there is no checking for shell
metacharacters in files being used as arguments, it is possible there
is a problem.
======================================================================
man-1.5h1
man -S `perl -e 'print ":" x 100'` ls
will cause a Segmentation fault error, due to incorrect bounds checking in
the array used to hold the section list.
Stored after the tmp_section_list structure are the heads of a couple of
linked lists, cat_list and man_list, which holds the names of the files
already shown.
By using a pointer to strcpy() (the last entry in the GOT) as the 'next'
pointer, it is possible to overwrite the address of the library function
'strcpy' with a newly malloc()ed string containing the name of the file
just viewed. The string will then be executed instead of strcpy.
(strcpy() is used, because it contains a NULL after it in the GOT, which
looks to man to mean "This is the tail of the linked list", and because it
gets called at the appropriate time.)
Exploiting this gives you gid man.
(Elevation of gid man -> root dealt with after the next section)
[I forgot the filename argument in the original post. Sorry.]
======================================================================
man-1.5i-4
This version does not have the -S problem.
It does how ever have an overflow in the handling of .so (sourced)
man pages.
If a manpage has
.so something
as the first line, ultimate_source() attempts to find the file refered to
by the something.
If it is compressed, it uses my_popen(), a wrapped version of popen() that
drops privs to the users, to read the contents, and check that file for a
.so line as well. Under certain circumstances the filename will increase
in length.
As there is no checking for the existance of the file other than the
return value from the popen() call, it is possible, by embedding shell
metacharacters in the filename to be opened to trick it into thinking it
succeeded.
The same commands that fool it into thinking it succeeded can return the
next file to look at name. This can be done several times, until the
overflow has reached the desired point. (ultname is 8192 bytes long, but
due to the layout of the variables in memory, it needs an overflow of more
than double that in order to affect yhe list structure used in the
previous exploit, which is what my exploit does.)
Successful exploitation will result in gid man.
======================================================================
/usr/sbin/makewhatis
...
function readline() {
if (use_zcat) {
result = (pipe_cmd | getline);
if (result < 0) {
print "Pipe error: " pipe_cmd " " ERRNO > "/dev/stderr";
}
...
if (use_zcat) {
pipe_cmd = "zcat " filename;
...
Imagine a file called:
"ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;gimmeroot;echo .1.gz"
======================================================================
example exploits: - http://generic.labs.pulltheplug.com/zen/
These files may or may not require tweaking to get working.
man-1.5h1-10-root-exploit.tar.gz
man-1.5i-4-root-exploit.tar.gz
This is the exploit for minicom-1.83.1-4. It is included here because it
gains root via the makewhatis metachar bug, helped by the use of
/var/lock/makewhatis.lock in a gid uucp writable directory.
minicom-root-exploit.tar.gz
======================================================================
more information:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=19351
MANSECT and -S overflow
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=40400
man 1.5h1-10 has an exploitable overflow
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805
root from gid man
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450
man-1.5i-4: local->gid man-> root in update
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43213
Man didn't drop privs when adding user PATH as MANPATH
(related 'feature', arbitrary commands by user invoking man)
======================================================================
--zen-parse
Mon Jun 4 23:17:50 NZST 2001
** Most of the exploit tweaking involves details covered here, or the set
up of programs for the exploits to work with.