LOCATION: Neohapsis / Archives / Bugtraq / Message Index / Re: SuSe / Debian man package format string vulnerability
 
From: Foldi Tamas (crow@KAPU.HU)
Date: Tue Feb 06 2001 - 14:07:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Megyer Ur wrote:

    > /usr/bin/man is a simple binary, without any suid bit, BUT
    > /usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr>
    > attack. So anyone can get man uid by exploiting it.
    >
    > So we can overwrite the /usr/lib/man-db/man binary with any stuff we
    > want, and when some user launches man, our code will be run instead of
    > the original /usr/lib/man-db/man binary. This is the real security
    > problem.

    Do "chattr +i /usr/lib/man-db/man*" to prevent this style attacks.

    Cheers,
    Foldi Ur ;)

    . . _ __ ______________________________________________________ __ _ . .
    Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
       crow@kapu.hu - PGP: finger://crow@thot.banki.hu - (+3630) 221-7477

     

    • Portions of this site are copyright 1998-2001, Neohapsis, Inc. Questions, comments or feedback, send E-mail to webmaster@neohapsis.com