StyX wrote:
> Joao Gouveia wrote:
> >
> > Hi,
> >
> > This issue has been discussed in vuln-dev (2001-01-26), see:
> > http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> > 4&fromthread=0&start=2001-01-21&threads=1&list=82&
> >
> > Posted also on suse security list, and aparently overlooked.
> >
> > The man package that ships with SuSe Linux ( at least versions 6.1 throught
> > 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
> > confirmed to have the same problem.
> >
> > <quote>
> > jrobertospike:~ > man -l %x%x%x%x
> > man: 4000bc7438049af00: No such file or directory
> > </quote>
> >
> > Regards,
> >
> > Joao Gouveia
> > ------------
> > tharbadkaotik.org
>
> Hmm... What about this?
>
> styxSuxOS-devel:~$ man -l %n%n%n%n
> man: Segmentation fault
> styxSuxOS-devel:~$
>
> This was on my Debian 2.2 potato system (It doesn't dump core though).

Please tell me what you gain from this. man does not run setuid root/man
but only setgid man. So all you can exploit this to is a shell running
under your ownl user ide.

Please correct me if I'm mistaken.

Regards,

        Joey

--
GNU GPL: "The source will be with you... always."

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]