Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED] (fwd)

To: Linux Help List <ayuda en linux org mx>
Subject: Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED] (fwd)
From: Edgar Hernández Z. <cybered en ns datasys com mx>
Date: Tue, 15 May 2001 14:12:31 -0500 (CDT)
Sender: owner-ayuda en pepe net mx

Saludos...

Edgar...

-- 
... todo puede fallar, tu no...

---------- Forwarded message ----------
Date: Mon, 14 May 2001 21:21:47 +0200
From: Sylwester Zarêbski <sylwek en tornet pl>
To: bugtraq en securityfocus com
Subject: Re: RH7.0: man local gid 15 (man) exploit [UNCONFIRMED]

Sunday, May 13, 2001, 10:07:34 PM, zenith napisa³(a):

> ========================================================
> Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
> package) and earlier.
> =========================================================

> Heap Based Overflow of man via -S option gives GID man.
> Due to a slight error in a length check, the -S option to
> man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.

> man -S `perl -e 'print ":" x 100'`

Confirmed:

$ man -S `perl -e 'print ":" x 100'` sometext
Segmentation fault

> Will cause a seg fault if you are vulnerable.

> It is possible to insert a pointer into a linked list that will allow
> overwriting of any value in memory that is followed by 4 null
> characters (a null pointer). one such memory location is the last
> entry on the GOT (global offset table). When another item is added to
> the linked list, the address of the data (a filename) is inserted over
> the last value, effectively redefining the function to the code
> represented by the filename.

> Putting shellcode in the filename allows execution of arbitrary code
> when the function referred to is called.

> Redhat have be contacted, and will be releasing an errata soon.

> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis

My 'man' executable comes from default installation of RH 7.0.

-- 
pozdrawiam

|      Sylwester Zarêbski      |
|   e-mail: sylwek en tornet pl   |
|      ICQ uin: #45780888      |
|   Administrator TORNET.PL    |


---------------------------------------------------------
para salir de la lista, enviar un mensaje con las palabras
"unsubscribe ayuda" en el cuerpo a majordomo en linux org mx

Previo por Fecha: Re: como emular linux o unix
Siguiente por Fecha: RE: Informacion
Previo por Hilo: RE: Informacion
Siguiente por Hilo: QUE ES UN E-MAIL?

[Hilos de Discusión] [Fecha] [Tema] [Autor]