Sunday, May 13, 2001, 10:07:34 PM, zenith napisa�(a):
> ========================================================
> Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
> package) and earlier.
> =========================================================
> Heap Based Overflow of man via -S option gives GID man.
> Due to a slight error in a length check, the -S option to
> man can cause a buffer overflow on the heap, allowing redirection of execution into
>user supplied code.
> man -S `perl -e 'print ":" x 100'`
Confirmed:
$ man -S `perl -e 'print ":" x 100'` sometext
Segmentation fault
> Will cause a seg fault if you are vulnerable.
> It is possible to insert a pointer into a linked list that will allow
> overwriting of any value in memory that is followed by 4 null
> characters (a null pointer). one such memory location is the last
> entry on the GOT (global offset table). When another item is added to
> the linked list, the address of the data (a filename) is inserted over
> the last value, effectively redefining the function to the code
> represented by the filename.
> Putting shellcode in the filename allows execution of arbitrary code
> when the function referred to is called.
> Redhat have be contacted, and will be releasing an errata soon.
> GID man allows a race condition for root via
> /etc/cron.daily/makewhatis and /sbin/makwhatis
My 'man' executable comes from default installation of RH 7.0.
--
pozdrawiam
| Sylwester Zar�bski |
| e-mail: [EMAIL PROTECTED] |
| ICQ uin: #45780888 |
| Administrator TORNET.PL |
