6496711 2001-05-13 20:17 +0000 /41 rader/ zenith parsec <zenith_parsec@the-astronaut.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-15 08:58 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <16967>
Ärende: RH 7.0:/usr/bin/man exploit: gid man + more
------------------------------------------------------------
From: "zenith parsec" <zenith_parsec@the-astronaut.com>
To: bugtraq@securityfocus.com
Message-ID: <20010513201722.10411.qmail@fiver.freemessage.com>
========================================================
Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
package) and earlier.
=========================================================
Heap Based Overflow of man via -S option gives GID man.
Due to a slight error in a length check, the -S option to man can
cause a buffer overflow on the heap, allowing redirection of
execution into user supplied code.
man -S `perl -e 'print ":" x 100'`
Will cause a seg fault if you are vulnerable.
It is possible to insert a pointer into a linked list that will allow
overwriting of any value in memory that is followed by 4 null
characters (a null pointer). one such memory location is the last
entry on the GOT (global offset table). When another item is added to
the linked list, the address of the data (a filename) is inserted
over the last value, effectively redefining the function to the code
represented by the filename.
Putting shellcode in the filename allows execution of arbitrary code
when the function referred to is called.
Redhat have be contacted, and will be releasing an errata soon.
--zen-parse
GID man allows a race condition for root via
/etc/cron.daily/makewhatis and /sbin/makwhatis
Sign up for your FREE E-MAIL account @ Dynamitemail:
http://www.dynamitemail.com
(6496711) /zenith parsec <zenith_parsec@the-astronaut.com>/(Ombruten)
6496977 2001-05-14 12:40 +0200 /26 rader/ Olaf Kirch <okir@caldera.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-15 09:59 av Brevbäraren
Extern mottagare: zenith parsec <zenith_parsec@the-astronaut.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <16972>
Kommentar till text 6491924 av zenith parsec <zenith_parsec@the-astronaut.com>
Ärende: Re: RH7.0: man local gid 15 (man) exploit
------------------------------------------------------------
From: Olaf Kirch <okir@caldera.de>
To: zenith parsec <zenith_parsec@the-astronaut.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20010514124059.D5030@monad.caldera.de>
On Sun, May 13, 2001 at 08:07:34PM -0000, zenith parsec wrote:
> ========================================================
> Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
> package) and earlier.
> =========================================================
> Heap Based Overflow of man via -S option gives GID man.
Caldera OpenLinux is not vulnerable to this problem. Our man-1.5
package comes with a patch that forks off a "cache manager" thread
that puts formatted pages into /var/catman, while the man application
itself continues in the foreground without any privilege.
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
(6496977) /Olaf Kirch <okir@caldera.de>/--(Ombruten)
6497459 2001-05-14 21:21 +0200 /52 rader/ Sylwester Zarêbski <sylwek@tornet.pl>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-15 11:33 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <16975>
Kommentar till text 6491924 av zenith parsec <zenith_parsec@the-astronaut.com>
Ärende: Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]
------------------------------------------------------------
From: Sylwester "Zarêbski" <sylwek@tornet.pl>
To: bugtraq@securityfocus.com
Message-ID: <1857118636.20010514212147@tornet.pl>
Sunday, May 13, 2001, 10:07:34 PM, zenith napisa³(a):
> ========================================================
> Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
> package) and earlier.
> =========================================================
> Heap Based Overflow of man via -S option gives GID man.
> Due to a slight error in a length check, the -S option to
> man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.
> man -S `perl -e 'print ":" x 100'`
Confirmed:
$ man -S `perl -e 'print ":" x 100'` sometext
Segmentation fault
> Will cause a seg fault if you are vulnerable.
> It is possible to insert a pointer into a linked list that will allow
> overwriting of any value in memory that is followed by 4 null
> characters (a null pointer). one such memory location is the last
> entry on the GOT (global offset table). When another item is added to
> the linked list, the address of the data (a filename) is inserted over
> the last value, effectively redefining the function to the code
> represented by the filename.
> Putting shellcode in the filename allows execution of arbitrary code
> when the function referred to is called.
> Redhat have be contacted, and will be releasing an errata soon.
> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis
My 'man' executable comes from default installation of RH 7.0.
--
pozdrawiam
| Sylwester Zarêbski |
| e-mail: sylwek@tornet.pl |
| ICQ uin: #45780888 |
| Administrator TORNET.PL |
(6497459) /Sylwester Zarêbski <sylwek@tornet.pl>/---
6497665 2001-05-15 05:00 +0400 /47 rader/ <solar@openwall.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-15 12:38 av Brevbäraren
Extern mottagare: zenith parsec <zenith_parsec@the-astronaut.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <16978>
Kommentar till text 6491924 av zenith parsec <zenith_parsec@the-astronaut.com>
Ärende: Re: RH7.0: man local gid 15 (man) exploit
------------------------------------------------------------
On Sun, May 13, 2001 at 08:07:34PM -0000, zenith parsec wrote:
> man -S `perl -e 'print ":" x 100'`
>
> Will cause a seg fault if you are vulnerable.
This and several other man vulnerabilities have been discussed on
security-audit last year. See:
MARC: thrd 'Multiple man vulnerabilities with Red Hat Linux 6.2'
http://marc.theaimsgroup.com/?t=97096128600001&w=2&r=1
MARC: thrd 'More fun with man 1.5h1'
http://marc.theaimsgroup.com/?t=97135295400001&w=2&r=1
I don't think your analysis of the possibilities to exploit this is
entirely correct. The buffer is in the bss, not on the heap. In
fact, the builds of man-1.5h1 I have here won't even segfault on the
command you mention, not even when given 400 colons -- but they do
misbehave in other ways. (I am willing to believe that this really
is exploitable on the RH 7.0 build, which I don't have.)
Of course, this is just one reason why SGID man is bad.
> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis
Yes, due to their security fix. I haven't seen this mentioned before
(but I'm not using this broken fix, anyway).
-TMPFILE=$HOME/whatis$$
-TMPFILEDIR=/tmp/whatis$$
+TMPFILE=/var/cache/man/whatis$$
+TMPFILEDIR=/var/cache/man/whatis$$
where /var/cache/man is writable by group man. :-(
The makewhatis patch we have in Owl (http://www.openwall.com/Owl/) is
attached.
The section list overflow bug you mention isn't a security problem on
Owl for obvious reasons, but is on my TODO for fixing (has been there
since the security-audit discussion).
--
/sd
(6497665) / <solar@openwall.com>/---------(Ombruten)
Bilaga (text/plain) i text 6497666
6497666 2001-05-15 05:00 +0400 /117 rader/ <solar@openwall.com>
Importerad: 2001-05-15 12:38 av Brevbäraren
Extern mottagare: zenith parsec <zenith_parsec@the-astronaut.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <16979>
Bilaga (text/plain) till text 6497665
Ärende: Bilaga till: Re: RH7.0: man local gid 15 (man) exploit
------------------------------------------------------------
diff -ur man-1.5h1.orig/src/makewhatis.sh man-1.5h1/src/makewhatis.sh
--- man-1.5h1.orig/src/makewhatis.sh Tue Jun 29 06:20:59 1999
+++ man-1.5h1/src/makewhatis.sh Thu Aug 10 02:56:57 2000
@@ -3,6 +3,7 @@
# Created: Sun Jun 14 10:49:37 1992
# Revised: Sat Jan 8 14:12:37 1994 by faith@cs.unc.edu
# Revised: Sat Mar 23 17:56:18 1996 by micheal@actrix.gen.nz
+# Revised: Thu Aug 10 02:17:50 2000 by solar@owl.openwall.com
# Copyright 1992, 1993, 1994 Rickard E. Faith (faith@cs.unc.edu)
# May be freely distributed and modified as long as copyright is retained.
#
@@ -24,6 +25,7 @@
# 960510 - added fixes by brennan@raven.ca.boeing.com, author of mawk.
# 971012 - replaced "test -z" - it doesnt work on SunOS 4.1.3_U1.
# 980710 - be more careful with TMPFILE
+# 000810 - solar: use mktemp, keep whatis files consistent while running.
#
# Note for Slackware users: "makewhatis -v -w -c" will work.
#
@@ -39,23 +41,7 @@
# AWK=/usr/bin/gawk
AWK=%gawk%
-# Find a place for our temporary files. If security is not a
concern, use
-# TMPFILE=/tmp/whatis$$; TMPFILEDIR=none
-# Of course makewhatis should only have the required permissions
-# (for reading and writing directories like /usr/man).
-# We try here to be careful (and avoid preconstructed symlinks)
-# in case makewhatis is run as root, by creating a subdirectory of
/tmp.
-# If that fails we use $HOME.
-# The code below uses test -O which doesnt work on all systems.
-TMPFILE=$HOME/whatis$$
-TMPFILEDIR=/tmp/whatis$$
-if [ ! -d $TMPFILEDIR ]; then
- mkdir $TMPFILEDIR
- chmod 0700 $TMPFILEDIR
- if [ -O $TMPFILEDIR ]; then
- TMPFILE=$TMPFILEDIR/w
- fi
-fi
+TMPFILE=`mktemp /tmp/$program.XXXXXX` || exit 1
topath=manpath
@@ -74,6 +60,7 @@
case $name in
--version|-V)
echo "$program from %version%"
+ rm $TMPFILE
exit 0;;
-c) topath=catpath
defmanpath=
@@ -97,12 +84,14 @@
echo " [manpath]: man directories (default: $DEFMANPATH)"
echo " [catpath]: cat directories (default: the first existing"
echo " directory in $DEFCATPATH)"
+ rm $TMPFILE
exit;;
*) if [ -d $name ]
then
eval $topath="\$$topath":$name
else
echo "No such directory $name"
+ rm $TMPFILE
exit
fi;;
esac
@@ -117,7 +106,7 @@
fi
catpath=`echo ${catpath} | tr : ' '`
-# first truncate all the whatis files that will be created new,
+# first mark all the whatis files that will be created new,
# then only update - we might visit the same directory twice
if [ x$update = x ]; then
for pages in man cat
@@ -125,7 +114,7 @@
eval path="\$$pages"path
for mandir in $path
do
- cp /dev/null $mandir/whatis
+ touch $mandir/whatis.update
done
done
fi
@@ -139,7 +128,7 @@
if [ x$verbose != x ]; then
echo "about to enter $mandir" > /dev/tty
fi
- if [ -s ${mandir}/whatis -a $pages = man -a x$update = x ]; then
+ if [ ! -f ${mandir}/whatis.update -a $pages = man -a x$update = x ]; then
if [ x$verbose != x ]; then
echo skipping $mandir - we did it already > /dev/tty
fi
@@ -338,15 +327,12 @@
then
cat ${mandir1}/whatis >> $TMPFILE
fi
- sed '/^$/d' < $TMPFILE | sort | uniq > ${mandir1}/whatis
+ touch ${mandir1}/whatis.tmp
+ chmod 644 ${mandir1}/whatis.tmp
+ sed '/^$/d' < $TMPFILE | sort -u > ${mandir1}/whatis.tmp
- chmod 644 ${mandir1}/whatis
- rm $TMPFILE
+ mv -f ${mandir1}/whatis.tmp ${mandir1}/whatis
+ rm $TMPFILE ${mandir1}/whatis.update
fi
done
done
-
-# remove the dir if we created it
-if [ $TMPFILE = $TMPFILEDIR/w ]; then
- rmdir $TMPFILEDIR
-fi
(6497666) / <solar@openwall.com>/---------(Ombruten)