On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.

Debian systems:
---------------

-rwsr-xr-x 1 man root 84524 Oct 24 08:11 /usr/lib/man-db/man
-rwxr-xr-x 3 root root 5060 Oct 24 08:11 /usr/bin/man

there are two man binaries.
/usr/bin/man is a simple binary, without any suid bit, BUT
/usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr>
attack. So anyone can get man uid by exploiting it.

So we can overwrite the /usr/lib/man-db/man binary with any stuff we
want, and when some user launches man, our code will be run instead of
the original /usr/lib/man-db/man binary. This is the real security
problem.

If root runs /usr/bin/man, it drops root priviledges, and it setuids to
man(6) as you can see:
lez:~# strace man asdf 2>&1 |grep setuid
setuid(6) = 0

Redhat systems:
---------------

-rwxr-sr-x 1 root man 35260 Aug 23 17:56 /usr/bin/man

We can get man gid with man on Redhat. Then we may be able to
overwrite some stuff in /var/man/cache, what is still unsecure because
troff may have some security flaws...

Conclusion:
-----------
In debian systems, we can own the user who runs man (but not root!).
In redhat systems, we get only man gid, but one may be able to get more
(not checked).

--
Lez (Megyer Laszlo)
lezsch.bme.hu

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]