RH7.0: man local gid 15 (man) exploit [UNCONFIRMED] (fwd)

Edgar Hernández Z. cybered en ns.datasys.com.mx
Mar Mayo 15 14:12:31 CDT 2001 

Saludos...

Edgar...

-- 
.. todo puede fallar, tu no...

---------- Forwarded message ----------
Date: Mon, 14 May 2001 21:21:47 +0200
From: Sylwester Zarêbski <sylwek en tornet.pl>
To: bugtraq en securityfocus.com
Subject: Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]

Sunday, May 13, 2001, 10:07:34 PM, zenith napisa³(a):

> ========================================================
> Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
> package) and earlier.
> =========================================================

> Heap Based Overflow of man via -S option gives GID man.
> Due to a slight error in a length check, the -S option to
> man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.

> man -S `perl -e 'print ":" x 100'`

Confirmed:

$ man -S `perl -e 'print ":" x 100'` sometext
Segmentation fault

> Will cause a seg fault if you are vulnerable.

> It is possible to insert a pointer into a linked list that will allow
> overwriting of any value in memory that is followed by 4 null
> characters (a null pointer). one such memory location is the last
> entry on the GOT (global offset table). When another item is added to
> the linked list, the address of the data (a filename) is inserted over
> the last value, effectively redefining the function to the code
> represented by the filename.

> Putting shellcode in the filename allows execution of arbitrary code
> when the function referred to is called.

> Redhat have be contacted, and will be releasing an errata soon.

> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis

My 'man' executable comes from default installation of RH 7.0.

-- 
pozdrawiam

|      Sylwester Zarêbski      |
|   e-mail: sylwek en tornet.pl   |
|      ICQ uin: #45780888      |
|   Administrator TORNET.PL    |


---------------------------------------------------------
para salir de la lista, enviar un mensaje con las palabras
"unsubscribe ayuda" en el cuerpo a majordomo en linux.org.mx

Más información sobre la lista de distribución Ayuda