NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2001-02

From: Roman Drahtmueller (drahtSUSE.DE)
Date: Mon Feb 05 2001 - 16:17:28 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > styxSuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styxSuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
> I don't know about Suse/Redhat/others.

SuSE ships the /usr/bin/man command suid man.

After exploiting the man command format string vulnerability, the attacker
can then replace the /usr/bin/man binary with an own program - since the
man command is supposed to be used frequently (especially for administrators),
this imposes a rather high security risk, which deserves some due respect.

We'll provide update packages shortly.

> Greets,
> Robert

Roman.

-- 
 -                                                                      -
| Roman Drahtmüller      <drahtsuse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]