LOCATION:
Neohapsis / Archives / Bugtraq / Message Index / Re: SuSe / Debian man package format string vulnerability |
From: Foldi Tamas (crow@KAPU.HU)
Date: Tue Feb 06 2001 - 14:07:05 CST
Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Megyer Ur wrote:
> /usr/bin/man is a simple binary, without any suid bit, BUT
> /usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr>
> attack. So anyone can get man uid by exploiting it.
>
> So we can overwrite the /usr/lib/man-db/man binary with any stuff we
> want, and when some user launches man, our code will be run instead of
> the original /usr/lib/man-db/man binary. This is the real security
> problem.
Do "chattr +i /usr/lib/man-db/man*" to prevent this style attacks.
Cheers,
Foldi Ur ;)
. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
crow@kapu.hu - PGP: finger://crow@thot.banki.hu - (+3630) 221-7477
|
Portions of this site are copyright
1998-2001, Neohapsis, Inc. Questions, comments or feedback, send E-mail
to webmaster@neohapsis.com
|
|