On 2020-06-11 16:13, Romero Pérez, Abel wrote:
On 2020-06-11 15:59, Otto Moerbeek wrote:
On Thu, Jun 11, 2020 at 03:15:55PM +0200, Romero Pérez, Abel wrote:
I've got a: man(13835) in free(): bogus pointer (double free?)
0x22c43c2813b
To check please, add the following function to .kshrc and run .
./.kshrc:
function man {
set -A array "$@"
tag=${array[$#-1]}
PAGER="" MANPAGER="" /usr/bin/man -T html -c pfctl $@ >
/tmp/man.html |
lynx /tmp/man.html#$tag
#PAGER="" MANPAGER="" /usr/bin/man -T html -c $@ | lynx -stdin
}
Then launch on prompt: man id
The result if exploited is on screenshot, but on console as follows:
foo$ man id
Abort trap
foo$
This already trips the bug;
man -T html -c pfctl id
No need for a custom man function. No clue yet why.
-Otto
Confirmed, it exploits also with your cmd-line.
It seems to crash only when a binary on $PATH is specified as 2nd man
entry (for example id).
-Abel.