Re: SuSe / Debian man package format string vulnerability

[Foldi Tamas]

Megyer Ur wrote:

> /usr/bin/man is a simple binary, without any suid bit, BUT
> /usr/lib/man-db/man is suid man, and it's vulnerable to man -l <formatstr>
> attack. So anyone can get man uid by exploiting it.
>
> So we can overwrite the /usr/lib/man-db/man binary with any stuff we
> want, and when some user launches man, our code will be run instead of
> the original /usr/lib/man-db/man binary. This is the real security
> problem.

Do "chattr +i /usr/lib/man-db/man*" to prevent this style attacks.

Cheers,
Foldi Ur ;)

. . _ __ ______________________________________________________ __ _ . .
Foldi Tamas - We Are The Hashmark In The Rootshell - Security Consultant
   [EMAIL PROTECTED] - PGP: finger:[EMAIL PROTECTED] - (+3630) 221-7477