6051758 2001-02-05 06:34 -0500  /30 rader/ John <johns@HUSHMAIL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05  20:31  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: johns@HUSHMAIL.COM
Mottagare: Bugtraq (import) <15223>
Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: John <johns@HUSHMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A7E8FD7.FF012EF3@hushmail.com>

On my Debian 2.2 system 'man' was installed
suid root. I don't know about Debian 2.3 but,
Debian 2.2 does install 'man' suid root.

Robert van der Meulen wrote:
>
> Hi,
>
> Quoting StyX (styx@MAILBOX.AS):
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.
>
> Greets,
>         Robert
>
> --
>                                 Linux Generation
(6051758) ------------------------------------------
Kommentar i text 6052926 av Graham Hughes <graham@LYNDA.COM>
Kommentar i text 6052930 av Megyer Ur <lez@SCH.BME.HU>
Kommentar i text 6052940 av Matt Zimmerman <mdz@DEBIAN.ORG>
Kommentar i text 6052975 av Andreas Ferber <aferber@TECHFAK.UNI-BIELEFELD.DE>
6052926 2001-02-05 11:35 -0800  /53 rader/ Graham Hughes <graham@LYNDA.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  01:56  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: graham@LYNDA.COM
Mottagare: Bugtraq (import) <15235>
Kommentar till text 6051758 av John <johns@HUSHMAIL.COM>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Graham Hughes <graham@LYNDA.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <87ofwgq5xk.fsf@ash.i-did-not-set--mail-host-address--so-shoot-me>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John <johns@HUSHMAIL.COM> writes:

> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.

graham@lonestar:~$ cat /etc/debian_version
2.2
graham@lonestar:~$ dpkg --listfiles man-db | grep bin
/usr/bin
/usr/bin/manpath
/usr/bin/catman
/usr/bin/whatis
/usr/bin/apropos
/usr/bin/wrapper
/usr/bin/man
/usr/bin/mandb
/usr/bin/zsoelim
/usr/sbin
/usr/sbin/accessdb
graham@lonestar:~$ dpkg --listfiles man-db | grep bin/ | xargs ls -l
- -rwxr-xr-x    1 root     root        28064 Apr  4  2000 /usr/bin/apropos
- -rwxr-xr-x    1 root     root        28704 Apr  4  2000 /usr/bin/catman
- -rwxr-xr-x    3 root     root         4832 Apr  4  2000 /usr/bin/man
- -rwxr-xr-x    3 root     root         4832 Apr  4  2000 /usr/bin/mandb
- -rwxr-xr-x    1 root     root        19832 Apr  4  2000 /usr/bin/manpath
- -rwxr-xr-x    1 root     root        27712 Apr  4  2000 /usr/bin/whatis
- -rwxr-xr-x    3 root     root         4832 Apr  4  2000 /usr/bin/wrapper
- -rwxr-xr-x    1 root     root        16172 Apr  4  2000 /usr/bin/zsoelim
- -rwxr-xr-x    1 root     root        11476 Apr  4  2000 /usr/sbin/accessdb
graham@lonestar:~$

Ahem.
- --
Graham Hughes <graham@lynda.com>
PGP fingerprint: 1F1D 0027 B835 E114 3F5B  2C7C 64D1 83A0 C5C7 312A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/>

iD8DBQE6fwBuZNGDoMXHMSoRAoUkAJ0XvGFxwLJgNl4yJ7Ip1R8jy33KyACgmZiM
9l7Wsa4J9A6+wbBIctaXKj4=
=iOSf
-----END PGP SIGNATURE-----
(6052926) ------------------------------------------
6052930 2001-02-05 23:18 +0100  /53 rader/ Megyer Ur <lez@SCH.BME.HU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  01:58  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: lez@SCH.BME.HU
Mottagare: Bugtraq (import) <15236>
Kommentar till text 6051758 av John <johns@HUSHMAIL.COM>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Megyer Ur <lez@SCH.BME.HU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010205231858.A8735@visible>

On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.

Debian systems:
---------------

-rwsr-xr-x    1 man      root        84524 Oct 24 08:11 /usr/lib/man-db/man
-rwxr-xr-x    3 root     root         5060 Oct 24 08:11 /usr/bin/man

there are two man binaries.  /usr/bin/man is a simple binary, without
any suid bit, BUT /usr/lib/man-db/man is suid man, and it's
vulnerable to man -l <formatstr> attack. So anyone can get man uid by
exploiting it.

So we can overwrite the /usr/lib/man-db/man binary with any stuff we
want, and when some user launches man, our code will be run instead of
the original /usr/lib/man-db/man binary. This is the real security
problem.

If root runs /usr/bin/man, it drops root priviledges, and it setuids to
man(6) as you can see:
lez:~# strace man asdf 2>&1 |grep setuid
setuid(6)                               = 0


Redhat systems:
---------------

-rwxr-sr-x    1 root     man         35260 Aug 23 17:56 /usr/bin/man

We can get man gid with man on Redhat. Then we may be able to
overwrite some stuff in /var/man/cache, what is still unsecure because
troff may have some security flaws...


Conclusion:
-----------
In debian systems, we can own the user who runs man (but not root!).
In redhat systems, we get only man gid, but one may be able to get more
(not checked).


--
Lez (Megyer Laszlo)
lez@sch.bme.hu
(6052930) --------------------------------(Ombruten)
6052940 2001-02-05 15:33 -0500  /22 rader/ Matt Zimmerman <mdz@DEBIAN.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  02:01  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mdz@DEBIAN.ORG
Mottagare: Bugtraq (import) <15237>
Kommentar till text 6051758 av John <johns@HUSHMAIL.COM>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Matt Zimmerman <mdz@DEBIAN.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010205153328.L13606@alcor.net>

On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:

> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.

Are you certain?  In Debian stable (2.2, potato), man is installed
setgid man.  In Debian unstable and testing (sid, woody), man is now
installed setuid man (for reasons noted elsewhere in this thread).

If you actually have a situation where man has been installed setuid
root, it would be a very serious bug, and you should report which
architecture and version of the man-db package you are using.

--
 - mdz
(6052940) --------------------------------(Ombruten)
6052975 2001-02-05 20:40 +0100  /23 rader/ Andreas Ferber <aferber@TECHFAK.UNI-BIELEFELD.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  02:35  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: aferber@TECHFAK.UNI-BIELEFELD.DE
Mottagare: Bugtraq (import) <15240>
Kommentar till text 6051758 av John <johns@HUSHMAIL.COM>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
Hi,

On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.

No, this is not true:

$ ls -la /usr/lib/man-db/man
-rwsr-xr-x    1 man      root        82848 Apr  4  2000 /usr/lib/man-db/man
$

This is the actual man binary (/usr/bin/man is only a wrapper, did not
examine closer what it does, but it has no setu/gid bit set), after a
plain Debian 2.2 potato install.

Andreas
--  After the last of 16 mounting screws has been removed from an
access cover, it will be discovered that the wrong access cover has
been removed.
(6052975) --------------------------------(Ombruten)
Bilaga (application/pgp-signature) i text 6052976
6052976 2001-02-05 20:40 +0100  /10 rader/ Andreas Ferber <aferber@TECHFAK.UNI-BIELEFELD.DE>
Importerad: 2001-02-06  02:35  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: aferber@TECHFAK.UNI-BIELEFELD.DE
Mottagare: Bugtraq (import) <15241>
Bilaga (text/plain) till text 6052975
Ärende: Bilaga till: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6fwGZfO23eTjctSoRAtYIAJ0QV9XbIPXEN5lciY8Sm+lcNya3NACfeUDk
3Vu6F14q91hhW5l9mzSVUes=
=nA5s
-----END PGP SIGNATURE-----
(6052976) ------------------------------------------
6051823 2001-02-05 11:42 -0600  /25 rader/ Mate Wierdl <mw@THALES.MEMPHIS.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-05  20:50  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: mw@THALES.MEMPHIS.EDU
Mottagare: Bugtraq (import) <15227>
Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Mate Wierdl <mw@THALES.MEMPHIS.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010205114219.B30149@thales.memphis.edu>

On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
> I don't know about Suse/Redhat/others.

On RH 7.0 and 6.2 it does not seem to matter as far as the
vulnerability is concerned since

$ man -l %x%x%x%x 2>&1  |head -1
man: invalid option -- l

on both systems.

Also,

$ ls -l `which man`
-rwxr-sr-x    1 root     man         34800 Jun 30  2000 /usr/bin/man


---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis
(6051823) ------------------------------------------
6052876 2001-02-05 23:17 +0100  /35 rader/ Roman Drahtmueller <draht@SUSE.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  01:24  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: draht@SUSE.DE
Mottagare: Bugtraq (import) <15232>
Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Roman Drahtmueller <draht@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.30.0102052312440.26556-100000@dent.suse.de>

> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.

SuSE ships the /usr/bin/man command suid man.

After exploiting the man command format string vulnerability, the
attacker can then replace the /usr/bin/man binary with an own program
- since the man command is supposed to be used frequently (especially
for administrators), this imposes a rather high security risk, which
deserves some due respect.

We'll provide update packages shortly.

> Greets,
> 	Robert

Roman.
-- 
 -                                                                      -
| Roman Drahtmüller      <draht@suse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -
(6052876) --------------------------------(Ombruten)
Kommentar i text 6053046 av Kris Kennaway <kris@OBSECURITY.ORG>
6053046 2001-02-05 17:05 -0800  /19 rader/ Kris Kennaway <kris@OBSECURITY.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  04:22  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@OBSECURITY.ORG
Mottagare: Bugtraq (import) <15246>
Kommentar till text 6052876 av Roman Drahtmueller <draht@SUSE.DE>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
On Mon, Feb 05, 2001 at 11:17:28PM +0100, Roman Drahtmueller wrote:

> SuSE ships the /usr/bin/man command suid man.
> 
> After exploiting the man command format string vulnerability, the attacker
> can then replace the /usr/bin/man binary with an own program - since the
> man command is supposed to be used frequently (especially for administrators),
> this imposes a rather high security risk, which deserves some due respect.
> 
> We'll provide update packages shortly.

The solution FreeBSD uses is to set the schg flag on /usr/bin/man -
this flag can only be set and removed by root, and prevents a
compromise of the man user from overwriting the binary.

FWIW, I don't think FreeBSD has the man problem.

Kris
(6053046) ------------------------------------------
Bilaga (application/pgp-signature) i text 6053047
6053047 2001-02-05 17:05 -0800  /10 rader/ Kris Kennaway <kris@OBSECURITY.ORG>
Importerad: 2001-02-06  04:22  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: kris@OBSECURITY.ORG
Mottagare: Bugtraq (import) <15247>
Bilaga (text/plain) till text 6053046
Ärende: Bilaga till: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6f03vWry0BWjoQKURAmEgAKD41j8R+5shiJfL2idqNxwTkugfHQCfRIKQ
18/ym5x7No6xhAD2ANCj0Ds=
=R+Dp
-----END PGP SIGNATURE-----
(6053047) ------------------------------------------
6053053 2001-02-05 17:34 -0800  /31 rader/ Darren Moffat <Darren.Moffat@ENG.SUN.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  04:36  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Darren.Moffat@eng.sun.com
Mottagare: Bugtraq (import) <15248>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Darren Moffat <Darren.Moffat@ENG.SUN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200102060134.f161YlR299519@jurassic.eng.sun.com>

>> > This was on my Debian 2.2 potato system (It doesn't dump core though).
>> Just for the record:
>> on a lot of systems (including Debian), 'man' is not suid/sgid anything,
and
>> this doesn't impose a security problem.
>> I don't know about Suse/Redhat/others.
>
>SuSE ships the /usr/bin/man command suid man.
>
>After exploiting the man command format string vulnerability, the attacker
>can then replace the /usr/bin/man binary with an own program - since the
>man command is supposed to be used frequently (especially for
administrators),
>this imposes a rather high security risk, which deserves some due respect.
>
>We'll provide update packages shortly.

I'm having a hard time working out why the man command is setuid to
any user.

Exactly what is it that man MUST do to perform the job of turning
nroff man pages into viewable text ?

--
Darren J Moffat
(6053053) --------------------------------(Ombruten)
Kommentar i text 6053111 av Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
Kommentar i text 6053112 av Seth Arnold <sarnold@WILLAMETTE.EDU>
Kommentar i text 6053184 av David Luyer <david_luyer@PACIFIC.NET.AU>
6053111 2001-02-05 20:01 -0800  /28 rader/ Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  06:43  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: dan-bugtraq@DILVISH.SPEED.NET
Mottagare: Bugtraq (import) <15250>
Kommentar till text 6053053 av Darren Moffat <Darren.Moffat@ENG.SUN.COM>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200102060401.UAA21404@dilvish.speed.net>

Darren Moffat <Darren.Moffat@eng.sun.com> writes:
> I'm having a hard time working out why the man command is setuid to any
> user.
>
> Exactly what is it that man MUST do to perform the job of turning nroff
> man pages into viewable text ?

Isn't it an issue with caching that viewable text in catN
directories?  If the catN directories are mode 777, people can put in
"Trojaned" man pages that tell users to do harmful things.  If
they're mode 1777, a user viewing a new version of the man page for
<program> won't be able to replace the copy of <program>.1 some other
user put in the cat1 directory 5 years ago.

Thus the setuid man solution.

Now, one could certainly argue that with today's processor and disk
speeds, caching nroff results is no longer a significant savings.

----------------------------------------------------------------------
Dan Harkless                   | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net  | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts.  Thank you.
(6053111) --------------------------------(Ombruten)
6053112 2001-02-05 19:32 -0800  /26 rader/ Seth Arnold <sarnold@WILLAMETTE.EDU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  06:47  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: sarnold@WILLAMETTE.EDU
Mottagare: Bugtraq (import) <15251>
Kommentar till text 6053053 av Darren Moffat <Darren.Moffat@ENG.SUN.COM>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Seth Arnold <sarnold@WILLAMETTE.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010205193219.A28281@willamette.edu>

* Darren Moffat <Darren.Moffat@eng.sun.com> [010205 19:24]:
> Exactly what is it that man MUST do to perform the job of turning nroff
> man pages into viewable text ?

It is setuid <some user> in order to store pre-formatted manpages
around, so that future invocations do not have to format the
manpage. It is intended to allow simple source pages to be shipped
(compressed in the case of at least Debian) so that PostScript
versions can be generated, in addition to the simple text-viewable
versions -- and still allow for frequently-accessed manpages to load
as fast as shipping the formatted versions of manpages.

It is interesting to note that OpenBSD does not use the source pages
by default -- only the processed plaintext 'cat'pages are
installed. This prevents the need for set(gd)id man applications, and
problems such as this.

--
``Oh Lord; Ooh you are so big; So absolutely huge; Gosh we're all
really impressed down here, I can tell you.''
(6053112) --------------------------------(Ombruten)
6053184 2001-02-06 15:53 +1100  /42 rader/ David Luyer <david_luyer@PACIFIC.NET.AU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  08:03  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: david_luyer@PACIFIC.NET.AU
Mottagare: Bugtraq (import) <15252>
Kommentar till text 6053053 av Darren Moffat <Darren.Moffat@ENG.SUN.COM>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: David Luyer <david_luyer@PACIFIC.NET.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200102060453.f164rrs00788@typhaon.pacific.net.au>

Darren Moffat wrote:

> I'm having a hard time working out why the man command is setuid to any
> user.
>
> Exactly what is it that man MUST do to perform the job of turning nroff
> man pages into viewable text ?

Two operations are done where SUID is useful; firstly maintaining the
manual page index (remember what happens on Solaris if you haven't
indexed the man pages and someone does a man -k... it just basically
says "sorry"... a SUID man can build this on the fly for any changes
detected) and secondly the unfortunate belief on many OS's/distro's
that caching nroff output is useful (which is true for performance,
but leads to systems formatting man pages as 24x80 rather than
adjusting to the real window size like some of the nicer "man"
variants used to).

Both of them are performance issues, one could be addressed by having
the manual page indexes maintained by the package install process,
and the second is somewhat harder to address but somewhat more
questionable in the net performance gain (perhaps per-user caching
would have a similar performance gain without the SUID requirement -
and these could be stored in an area which is automatically cleaned
regularly).

(Hmm, does BUGTRAQ need/have a FAQ for questions which are asked
every few years [why is "x" SUID; what about design flaw "y" {eg,
nobody homedir}; ...] and security holes which seem to come back from
time to time [such as the RESOLV_HOST_CONF one which recently
reoccurred in a Debian unstable/testing libc package]?)

David.
--
David Luyer                                        Phone:   +61 3 9674 7525
Senior Network Engineer        P A C I F I C       Fax:     +61 3 9699 8693
Pacific Internet (Australia)  I N T E R N E T      Mobile:  +61 4 1111 2983
http://www.pacific.net.au/                         NASDAQ:  PCNTF
(6053184) --------------------------------(Ombruten)
6053110 2001-02-05 20:16 -0800  /37 rader/ Darren Moffat <Darren.Moffat@ENG.SUN.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  06:40  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: Darren.Moffat@eng.sun.com
Mottagare: Bugtraq (import) <15249>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Darren Moffat <Darren.Moffat@ENG.SUN.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <200102060416.f164GWR318805@jurassic.eng.sun.com>

>* Darren Moffat <Darren.Moffat@eng.sun.com> [010205 19:24]:
>> Exactly what is it that man MUST do to perform the job of turning nroff
>> man pages into viewable text ?

Given the replies I got that are similar to the one below I should
have been move explicit - I knew this but was trying to hint that it
wasn't part of the functionality of formatting the page.

man doesn't NEED to do this to get the job done this is all just about
caching at the expense of security.

>It is setuid <some user> in order to store pre-formatted manpages
>around, so that future invocations do not have to format the manpage. It
>is intended to allow simple source pages to be shipped (compressed in
>the case of at least Debian) so that PostScript versions can be
>generated, in addition to the simple text-viewable versions -- and still
>allow for frequently-accessed manpages to load as fast as shipping the
>formatted versions of manpages.

>It is interesting to note that OpenBSD does not use the source pages by
>default -- only the processed plaintext 'cat'pages are installed. This
>prevents the need for set(gd)id man applications, and problems such as
>this.

Solaris does the opposite of and ships only the unformatted man pages,
which since Solaris 7 are sgml rather than nroff.  If you want to have
access to catman pages rather than wait for them to be formatted each
time then root can run catman.

--
Darren J Moffat
(6053110) --------------------------------(Ombruten)
6056984 2001-02-06 15:07 -0500  /25 rader/ Foldi Tamas <crow@KAPU.HU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  20:28  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: crow@KAPU.HU
Mottagare: Bugtraq (import) <15256>
Kommentar till text 6052930 av Megyer Ur <lez@SCH.BME.HU>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
From: Foldi Tamas <crow@KAPU.HU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A805969.90FB75F@kapu.hu>

Megyer Ur wrote:

> /usr/bin/man is a simple binary, without any suid bit, BUT
> /usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr>
> attack. So anyone can get man uid by exploiting it.
>
> So we can overwrite the /usr/lib/man-db/man binary with any stuff we
> want, and when some user launches man, our code will be run instead of
> the original /usr/lib/man-db/man binary. This is the real security
> problem.

Do "chattr +i /usr/lib/man-db/man*" to prevent this style attacks.

Cheers,
Foldi Ur ;)

. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
   crow@kapu.hu - PGP: finger://crow@thot.banki.hu - (+3630) 221-7477
(6056984) ------------------------------------------
6056996 2001-02-06 16:29 +0100  /24 rader/ Sebastian Krahmer <krahmer@SUSE.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  20:32  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: krahmer@SUSE.DE
Mottagare: Bugtraq (import) <15257>
Ärende: man issue
------------------------------------------------------------
From: Sebastian Krahmer <krahmer@SUSE.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0102061627270.393-100000@Galois.suse.de>

hi,

the format issue of man seems harmless.
the bug lies inhere

   /* XXX */
                                if (!display (NULL, argv[optind], NULL,
                                             basename(argv[optind]))) {
                                        error (0, errno, argv[optind]);
                                        exit_status = NOT_FOUND;
                                }

where error() is format-capable. However root privs are dropped
before.  So, you could gain a user-shell if you want.  Please dont
run man setgid, as man doesnt drop effective group ID.

l8,
Sebastian
(6056996) --------------------------------(Ombruten)
6057072 2001-02-06 09:38 +0100  /20 rader/ Robert Bihlmeyer <robbe@ORCUS.PRIV.AT>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-06  20:53  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: robbe@ORCUS.PRIV.AT
Mottagare: Bugtraq (import) <15260>
Kommentar till text 6048048 av Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
Ärende: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE> writes:

> Please tell me what you gain from this.  man does not run setuid root/man
> but only setgid man.

Debian man-db is setuid (not setgid) man[1] in the latest stable and
unstable incarnations.

Getting uid man is not immediate death, but bad enough. Bug 84128 has
been reported (with the trivial patch) a week ago. Please fix it.


Footnotes:
[1]  Unless you've set NOSETGID in /etc/manpath.config ... obvious,
isn't it?

--
Robbe
(6057072) --------------------------------(Ombruten)
Bilaga (application/pgp-signature) i text 6057073
6057073 2001-02-06 09:38 +0100  /10 rader/ Robert Bihlmeyer <robbe@ORCUS.PRIV.AT>
Bilagans filnamn: "signature.ng"
Importerad: 2001-02-06  20:53  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: robbe@ORCUS.PRIV.AT
Mottagare: Bugtraq (import) <15261>
Bilaga (text/plain) till text 6057072
Ärende: Bilaga (signature.ng) till: Re: SuSe / Debian man package format string vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6f7gp8g21h7wYWrMRAlNNAKCsZomz5ZuFk6eQ0VwYW/dm0CPPSQCgjgxp
XrUumCGnWAP6Rw+K/yieNK0=
=SbC1
-----END PGP SIGNATURE-----
(6057073) ------------------------------------------