6051758 2001-02-05 06:34 -0500 /30 rader/ John <johns@HUSHMAIL.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-05 20:31 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: johns@HUSHMAIL.COM Mottagare: Bugtraq (import) <15223> Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: John <johns@HUSHMAIL.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <3A7E8FD7.FF012EF3@hushmail.com> On my Debian 2.2 system 'man' was installed suid root. I don't know about Debian 2.3 but, Debian 2.2 does install 'man' suid root. Robert van der Meulen wrote: > > Hi, > > Quoting StyX (styx@MAILBOX.AS): > > styx@SuxOS-devel:~$ man -l %n%n%n%n > > man: Segmentation fault > > styx@SuxOS-devel:~$ > > > > This was on my Debian 2.2 potato system (It doesn't dump core though). > Just for the record: > on a lot of systems (including Debian), 'man' is not suid/sgid anything, and > this doesn't impose a security problem. > I don't know about Suse/Redhat/others. > > Greets, > Robert > > -- > Linux Generation (6051758) ------------------------------------------ Kommentar i text 6052926 av Graham Hughes <graham@LYNDA.COM> Kommentar i text 6052930 av Megyer Ur <lez@SCH.BME.HU> Kommentar i text 6052940 av Matt Zimmerman <mdz@DEBIAN.ORG> Kommentar i text 6052975 av Andreas Ferber <aferber@TECHFAK.UNI-BIELEFELD.DE> 6052926 2001-02-05 11:35 -0800 /53 rader/ Graham Hughes <graham@LYNDA.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 01:56 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: graham@LYNDA.COM Mottagare: Bugtraq (import) <15235> Kommentar till text 6051758 av John <johns@HUSHMAIL.COM> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Graham Hughes <graham@LYNDA.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <87ofwgq5xk.fsf@ash.i-did-not-set--mail-host-address--so-shoot-me> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John <johns@HUSHMAIL.COM> writes: > On my Debian 2.2 system 'man' was installed > suid root. I don't know about Debian 2.3 but, > Debian 2.2 does install 'man' suid root. graham@lonestar:~$ cat /etc/debian_version 2.2 graham@lonestar:~$ dpkg --listfiles man-db | grep bin /usr/bin /usr/bin/manpath /usr/bin/catman /usr/bin/whatis /usr/bin/apropos /usr/bin/wrapper /usr/bin/man /usr/bin/mandb /usr/bin/zsoelim /usr/sbin /usr/sbin/accessdb graham@lonestar:~$ dpkg --listfiles man-db | grep bin/ | xargs ls -l - -rwxr-xr-x 1 root root 28064 Apr 4 2000 /usr/bin/apropos - -rwxr-xr-x 1 root root 28704 Apr 4 2000 /usr/bin/catman - -rwxr-xr-x 3 root root 4832 Apr 4 2000 /usr/bin/man - -rwxr-xr-x 3 root root 4832 Apr 4 2000 /usr/bin/mandb - -rwxr-xr-x 1 root root 19832 Apr 4 2000 /usr/bin/manpath - -rwxr-xr-x 1 root root 27712 Apr 4 2000 /usr/bin/whatis - -rwxr-xr-x 3 root root 4832 Apr 4 2000 /usr/bin/wrapper - -rwxr-xr-x 1 root root 16172 Apr 4 2000 /usr/bin/zsoelim - -rwxr-xr-x 1 root root 11476 Apr 4 2000 /usr/sbin/accessdb graham@lonestar:~$ Ahem. - -- Graham Hughes <graham@lynda.com> PGP fingerprint: 1F1D 0027 B835 E114 3F5B 2C7C 64D1 83A0 C5C7 312A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.5 and Gnu Privacy Guard <http://www.gnupg.org/> iD8DBQE6fwBuZNGDoMXHMSoRAoUkAJ0XvGFxwLJgNl4yJ7Ip1R8jy33KyACgmZiM 9l7Wsa4J9A6+wbBIctaXKj4= =iOSf -----END PGP SIGNATURE----- (6052926) ------------------------------------------ 6052930 2001-02-05 23:18 +0100 /53 rader/ Megyer Ur <lez@SCH.BME.HU> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 01:58 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: lez@SCH.BME.HU Mottagare: Bugtraq (import) <15236> Kommentar till text 6051758 av John <johns@HUSHMAIL.COM> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Megyer Ur <lez@SCH.BME.HU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010205231858.A8735@visible> On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote: > On my Debian 2.2 system 'man' was installed > suid root. I don't know about Debian 2.3 but, > Debian 2.2 does install 'man' suid root. Debian systems: --------------- -rwsr-xr-x 1 man root 84524 Oct 24 08:11 /usr/lib/man-db/man -rwxr-xr-x 3 root root 5060 Oct 24 08:11 /usr/bin/man there are two man binaries. /usr/bin/man is a simple binary, without any suid bit, BUT /usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr> attack. So anyone can get man uid by exploiting it. So we can overwrite the /usr/lib/man-db/man binary with any stuff we want, and when some user launches man, our code will be run instead of the original /usr/lib/man-db/man binary. This is the real security problem. If root runs /usr/bin/man, it drops root priviledges, and it setuids to man(6) as you can see: lez:~# strace man asdf 2>&1 |grep setuid setuid(6) = 0 Redhat systems: --------------- -rwxr-sr-x 1 root man 35260 Aug 23 17:56 /usr/bin/man We can get man gid with man on Redhat. Then we may be able to overwrite some stuff in /var/man/cache, what is still unsecure because troff may have some security flaws... Conclusion: ----------- In debian systems, we can own the user who runs man (but not root!). In redhat systems, we get only man gid, but one may be able to get more (not checked). -- Lez (Megyer Laszlo) lez@sch.bme.hu (6052930) --------------------------------(Ombruten) 6052940 2001-02-05 15:33 -0500 /22 rader/ Matt Zimmerman <mdz@DEBIAN.ORG> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 02:01 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: mdz@DEBIAN.ORG Mottagare: Bugtraq (import) <15237> Kommentar till text 6051758 av John <johns@HUSHMAIL.COM> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Matt Zimmerman <mdz@DEBIAN.ORG> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010205153328.L13606@alcor.net> On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote: > On my Debian 2.2 system 'man' was installed > suid root. I don't know about Debian 2.3 but, > Debian 2.2 does install 'man' suid root. Are you certain? In Debian stable (2.2, potato), man is installed setgid man. In Debian unstable and testing (sid, woody), man is now installed setuid man (for reasons noted elsewhere in this thread). If you actually have a situation where man has been installed setuid root, it would be a very serious bug, and you should report which architecture and version of the man-db package you are using. -- - mdz (6052940) --------------------------------(Ombruten) 6052975 2001-02-05 20:40 +0100 /23 rader/ Andreas Ferber <aferber@TECHFAK.UNI-BIELEFELD.DE> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 02:35 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: aferber@TECHFAK.UNI-BIELEFELD.DE Mottagare: Bugtraq (import) <15240> Kommentar till text 6051758 av John <johns@HUSHMAIL.COM> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ Hi, On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote: > On my Debian 2.2 system 'man' was installed > suid root. I don't know about Debian 2.3 but, > Debian 2.2 does install 'man' suid root. No, this is not true: $ ls -la /usr/lib/man-db/man -rwsr-xr-x 1 man root 82848 Apr 4 2000 /usr/lib/man-db/man $ This is the actual man binary (/usr/bin/man is only a wrapper, did not examine closer what it does, but it has no setu/gid bit set), after a plain Debian 2.2 potato install. Andreas -- After the last of 16 mounting screws has been removed from an access cover, it will be discovered that the wrong access cover has been removed. (6052975) --------------------------------(Ombruten) Bilaga (application/pgp-signature) i text 6052976 6052976 2001-02-05 20:40 +0100 /10 rader/ Andreas Ferber <aferber@TECHFAK.UNI-BIELEFELD.DE> Importerad: 2001-02-06 02:35 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: aferber@TECHFAK.UNI-BIELEFELD.DE Mottagare: Bugtraq (import) <15241> Bilaga (text/plain) till text 6052975 Ärende: Bilaga till: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6fwGZfO23eTjctSoRAtYIAJ0QV9XbIPXEN5lciY8Sm+lcNya3NACfeUDk 3Vu6F14q91hhW5l9mzSVUes= =nA5s -----END PGP SIGNATURE----- (6052976) ------------------------------------------ 6051823 2001-02-05 11:42 -0600 /25 rader/ Mate Wierdl <mw@THALES.MEMPHIS.EDU> Sänt av: joel@lysator.liu.se Importerad: 2001-02-05 20:50 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: mw@THALES.MEMPHIS.EDU Mottagare: Bugtraq (import) <15227> Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Mate Wierdl <mw@THALES.MEMPHIS.EDU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010205114219.B30149@thales.memphis.edu> On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote: > I don't know about Suse/Redhat/others. On RH 7.0 and 6.2 it does not seem to matter as far as the vulnerability is concerned since $ man -l %x%x%x%x 2>&1 |head -1 man: invalid option -- l on both systems. Also, $ ls -l `which man` -rwxr-sr-x 1 root man 34800 Jun 30 2000 /usr/bin/man --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis (6051823) ------------------------------------------ 6052876 2001-02-05 23:17 +0100 /35 rader/ Roman Drahtmueller <draht@SUSE.DE> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 01:24 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: draht@SUSE.DE Mottagare: Bugtraq (import) <15232> Kommentar till text 6048039 av Robert van der Meulen <rvdm@CISTRON.NL> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Roman Drahtmueller <draht@SUSE.DE> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.30.0102052312440.26556-100000@dent.suse.de> > > styx@SuxOS-devel:~$ man -l %n%n%n%n > > man: Segmentation fault > > styx@SuxOS-devel:~$ > > > > This was on my Debian 2.2 potato system (It doesn't dump core though). > Just for the record: > on a lot of systems (including Debian), 'man' is not suid/sgid anything, and > this doesn't impose a security problem. > I don't know about Suse/Redhat/others. SuSE ships the /usr/bin/man command suid man. After exploiting the man command format string vulnerability, the attacker can then replace the /usr/bin/man binary with an own program - since the man command is supposed to be used frequently (especially for administrators), this imposes a rather high security risk, which deserves some due respect. We'll provide update packages shortly. > Greets, > Robert Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - - (6052876) --------------------------------(Ombruten) Kommentar i text 6053046 av Kris Kennaway <kris@OBSECURITY.ORG> 6053046 2001-02-05 17:05 -0800 /19 rader/ Kris Kennaway <kris@OBSECURITY.ORG> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 04:22 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: kris@OBSECURITY.ORG Mottagare: Bugtraq (import) <15246> Kommentar till text 6052876 av Roman Drahtmueller <draht@SUSE.DE> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ On Mon, Feb 05, 2001 at 11:17:28PM +0100, Roman Drahtmueller wrote: > SuSE ships the /usr/bin/man command suid man. > > After exploiting the man command format string vulnerability, the attacker > can then replace the /usr/bin/man binary with an own program - since the > man command is supposed to be used frequently (especially for administrators), > this imposes a rather high security risk, which deserves some due respect. > > We'll provide update packages shortly. The solution FreeBSD uses is to set the schg flag on /usr/bin/man - this flag can only be set and removed by root, and prevents a compromise of the man user from overwriting the binary. FWIW, I don't think FreeBSD has the man problem. Kris (6053046) ------------------------------------------ Bilaga (application/pgp-signature) i text 6053047 6053047 2001-02-05 17:05 -0800 /10 rader/ Kris Kennaway <kris@OBSECURITY.ORG> Importerad: 2001-02-06 04:22 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: kris@OBSECURITY.ORG Mottagare: Bugtraq (import) <15247> Bilaga (text/plain) till text 6053046 Ärende: Bilaga till: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6f03vWry0BWjoQKURAmEgAKD41j8R+5shiJfL2idqNxwTkugfHQCfRIKQ 18/ym5x7No6xhAD2ANCj0Ds= =R+Dp -----END PGP SIGNATURE----- (6053047) ------------------------------------------ 6053053 2001-02-05 17:34 -0800 /31 rader/ Darren Moffat <Darren.Moffat@ENG.SUN.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 04:36 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: Darren.Moffat@eng.sun.com Mottagare: Bugtraq (import) <15248> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Darren Moffat <Darren.Moffat@ENG.SUN.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200102060134.f161YlR299519@jurassic.eng.sun.com> >> > This was on my Debian 2.2 potato system (It doesn't dump core though). >> Just for the record: >> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and >> this doesn't impose a security problem. >> I don't know about Suse/Redhat/others. > >SuSE ships the /usr/bin/man command suid man. > >After exploiting the man command format string vulnerability, the attacker >can then replace the /usr/bin/man binary with an own program - since the >man command is supposed to be used frequently (especially for administrators), >this imposes a rather high security risk, which deserves some due respect. > >We'll provide update packages shortly. I'm having a hard time working out why the man command is setuid to any user. Exactly what is it that man MUST do to perform the job of turning nroff man pages into viewable text ? -- Darren J Moffat (6053053) --------------------------------(Ombruten) Kommentar i text 6053111 av Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> Kommentar i text 6053112 av Seth Arnold <sarnold@WILLAMETTE.EDU> Kommentar i text 6053184 av David Luyer <david_luyer@PACIFIC.NET.AU> 6053111 2001-02-05 20:01 -0800 /28 rader/ Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 06:43 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: dan-bugtraq@DILVISH.SPEED.NET Mottagare: Bugtraq (import) <15250> Kommentar till text 6053053 av Darren Moffat <Darren.Moffat@ENG.SUN.COM> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200102060401.UAA21404@dilvish.speed.net> Darren Moffat <Darren.Moffat@eng.sun.com> writes: > I'm having a hard time working out why the man command is setuid to any > user. > > Exactly what is it that man MUST do to perform the job of turning nroff > man pages into viewable text ? Isn't it an issue with caching that viewable text in catN directories? If the catN directories are mode 777, people can put in "Trojaned" man pages that tell users to do harmful things. If they're mode 1777, a user viewing a new version of the man page for <program> won't be able to replace the copy of <program>.1 some other user put in the cat1 directory 5 years ago. Thus the setuid man solution. Now, one could certainly argue that with today's processor and disk speeds, caching nroff results is no longer a significant savings. ---------------------------------------------------------------------- Dan Harkless | To prevent SPAM contamination, please dan-bugtraq@dilvish.speed.net | do not mention this private email SpeedGate Communications, Inc. | address in Usenet posts. Thank you. (6053111) --------------------------------(Ombruten) 6053112 2001-02-05 19:32 -0800 /26 rader/ Seth Arnold <sarnold@WILLAMETTE.EDU> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 06:47 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: sarnold@WILLAMETTE.EDU Mottagare: Bugtraq (import) <15251> Kommentar till text 6053053 av Darren Moffat <Darren.Moffat@ENG.SUN.COM> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Seth Arnold <sarnold@WILLAMETTE.EDU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010205193219.A28281@willamette.edu> * Darren Moffat <Darren.Moffat@eng.sun.com> [010205 19:24]: > Exactly what is it that man MUST do to perform the job of turning nroff > man pages into viewable text ? It is setuid <some user> in order to store pre-formatted manpages around, so that future invocations do not have to format the manpage. It is intended to allow simple source pages to be shipped (compressed in the case of at least Debian) so that PostScript versions can be generated, in addition to the simple text-viewable versions -- and still allow for frequently-accessed manpages to load as fast as shipping the formatted versions of manpages. It is interesting to note that OpenBSD does not use the source pages by default -- only the processed plaintext 'cat'pages are installed. This prevents the need for set(gd)id man applications, and problems such as this. -- ``Oh Lord; Ooh you are so big; So absolutely huge; Gosh we're all really impressed down here, I can tell you.'' (6053112) --------------------------------(Ombruten) 6053184 2001-02-06 15:53 +1100 /42 rader/ David Luyer <david_luyer@PACIFIC.NET.AU> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 08:03 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: david_luyer@PACIFIC.NET.AU Mottagare: Bugtraq (import) <15252> Kommentar till text 6053053 av Darren Moffat <Darren.Moffat@ENG.SUN.COM> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: David Luyer <david_luyer@PACIFIC.NET.AU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200102060453.f164rrs00788@typhaon.pacific.net.au> Darren Moffat wrote: > I'm having a hard time working out why the man command is setuid to any > user. > > Exactly what is it that man MUST do to perform the job of turning nroff > man pages into viewable text ? Two operations are done where SUID is useful; firstly maintaining the manual page index (remember what happens on Solaris if you haven't indexed the man pages and someone does a man -k... it just basically says "sorry"... a SUID man can build this on the fly for any changes detected) and secondly the unfortunate belief on many OS's/distro's that caching nroff output is useful (which is true for performance, but leads to systems formatting man pages as 24x80 rather than adjusting to the real window size like some of the nicer "man" variants used to). Both of them are performance issues, one could be addressed by having the manual page indexes maintained by the package install process, and the second is somewhat harder to address but somewhat more questionable in the net performance gain (perhaps per-user caching would have a similar performance gain without the SUID requirement - and these could be stored in an area which is automatically cleaned regularly). (Hmm, does BUGTRAQ need/have a FAQ for questions which are asked every few years [why is "x" SUID; what about design flaw "y" {eg, nobody homedir}; ...] and security holes which seem to come back from time to time [such as the RESOLV_HOST_CONF one which recently reoccurred in a Debian unstable/testing libc package]?) David. -- David Luyer Phone: +61 3 9674 7525 Senior Network Engineer P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983 http://www.pacific.net.au/ NASDAQ: PCNTF (6053184) --------------------------------(Ombruten) 6053110 2001-02-05 20:16 -0800 /37 rader/ Darren Moffat <Darren.Moffat@ENG.SUN.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 06:40 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: Darren.Moffat@eng.sun.com Mottagare: Bugtraq (import) <15249> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Darren Moffat <Darren.Moffat@ENG.SUN.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <200102060416.f164GWR318805@jurassic.eng.sun.com> >* Darren Moffat <Darren.Moffat@eng.sun.com> [010205 19:24]: >> Exactly what is it that man MUST do to perform the job of turning nroff >> man pages into viewable text ? Given the replies I got that are similar to the one below I should have been move explicit - I knew this but was trying to hint that it wasn't part of the functionality of formatting the page. man doesn't NEED to do this to get the job done this is all just about caching at the expense of security. >It is setuid <some user> in order to store pre-formatted manpages >around, so that future invocations do not have to format the manpage. It >is intended to allow simple source pages to be shipped (compressed in >the case of at least Debian) so that PostScript versions can be >generated, in addition to the simple text-viewable versions -- and still >allow for frequently-accessed manpages to load as fast as shipping the >formatted versions of manpages. >It is interesting to note that OpenBSD does not use the source pages by >default -- only the processed plaintext 'cat'pages are installed. This >prevents the need for set(gd)id man applications, and problems such as >this. Solaris does the opposite of and ships only the unformatted man pages, which since Solaris 7 are sgml rather than nroff. If you want to have access to catman pages rather than wait for them to be formatted each time then root can run catman. -- Darren J Moffat (6053110) --------------------------------(Ombruten) 6056984 2001-02-06 15:07 -0500 /25 rader/ Foldi Tamas <crow@KAPU.HU> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 20:28 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: crow@KAPU.HU Mottagare: Bugtraq (import) <15256> Kommentar till text 6052930 av Megyer Ur <lez@SCH.BME.HU> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ From: Foldi Tamas <crow@KAPU.HU> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <3A805969.90FB75F@kapu.hu> Megyer Ur wrote: > /usr/bin/man is a simple binary, without any suid bit, BUT > /usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr> > attack. So anyone can get man uid by exploiting it. > > So we can overwrite the /usr/lib/man-db/man binary with any stuff we > want, and when some user launches man, our code will be run instead of > the original /usr/lib/man-db/man binary. This is the real security > problem. Do "chattr +i /usr/lib/man-db/man*" to prevent this style attacks. Cheers, Foldi Ur ;) . . _ __ ______________________________________________________ __ _ . . Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant crow@kapu.hu - PGP: finger://crow@thot.banki.hu - (+3630) 221-7477 (6056984) ------------------------------------------ 6056996 2001-02-06 16:29 +0100 /24 rader/ Sebastian Krahmer <krahmer@SUSE.DE> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 20:32 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: krahmer@SUSE.DE Mottagare: Bugtraq (import) <15257> Ärende: man issue ------------------------------------------------------------ From: Sebastian Krahmer <krahmer@SUSE.DE> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.21.0102061627270.393-100000@Galois.suse.de> hi, the format issue of man seems harmless. the bug lies inhere /* XXX */ if (!display (NULL, argv[optind], NULL, basename(argv[optind]))) { error (0, errno, argv[optind]); exit_status = NOT_FOUND; } where error() is format-capable. However root privs are dropped before. So, you could gain a user-shell if you want. Please dont run man setgid, as man doesnt drop effective group ID. l8, Sebastian (6056996) --------------------------------(Ombruten) 6057072 2001-02-06 09:38 +0100 /20 rader/ Robert Bihlmeyer <robbe@ORCUS.PRIV.AT> Sänt av: joel@lysator.liu.se Importerad: 2001-02-06 20:53 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: robbe@ORCUS.PRIV.AT Mottagare: Bugtraq (import) <15260> Kommentar till text 6048048 av Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE> Ärende: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE> writes: > Please tell me what you gain from this. man does not run setuid root/man > but only setgid man. Debian man-db is setuid (not setgid) man[1] in the latest stable and unstable incarnations. Getting uid man is not immediate death, but bad enough. Bug 84128 has been reported (with the trivial patch) a week ago. Please fix it. Footnotes: [1] Unless you've set NOSETGID in /etc/manpath.config ... obvious, isn't it? -- Robbe (6057072) --------------------------------(Ombruten) Bilaga (application/pgp-signature) i text 6057073 6057073 2001-02-06 09:38 +0100 /10 rader/ Robert Bihlmeyer <robbe@ORCUS.PRIV.AT> Bilagans filnamn: "signature.ng" Importerad: 2001-02-06 20:53 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: robbe@ORCUS.PRIV.AT Mottagare: Bugtraq (import) <15261> Bilaga (text/plain) till text 6057072 Ärende: Bilaga (signature.ng) till: Re: SuSe / Debian man package format string vulnerability ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6f7gp8g21h7wYWrMRAlNNAKCsZomz5ZuFk6eQ0VwYW/dm0CPPSQCgjgxp XrUumCGnWAP6Rw+K/yieNK0= =SbC1 -----END PGP SIGNATURE----- (6057073) ------------------------------------------