Martin Schulze [EMAIL PROTECTED] writes:
Please tell me what you gain from this. man does not run setuid root/man
but only setgid man.
Debian man-db is setuid (not setgid) man[1] in the latest stable and unstable
incarnations.
Getting uid man is not immediate death, but bad enough. Bug
Megyer Ur wrote:
/usr/bin/man is a simple binary, without any suid bit, BUT
/usr/lib/man-db/man is suid man, and it's vulnerable to man -l formatstr
attack. So anyone can get man uid by exploiting it.
So we can overwrite the /usr/lib/man-db/man binary with any stuff we
want, and when some
Jose Nazario writes:
On Sun, 4 Feb 2001, Martin Schulze wrote:
Please tell me what you gain from this. man does not run setuid
root/man but only setgid man. So all you can exploit this to is a
shell running under your ownl user ide.
sucker admins who m4 their sendmail.mc's as
On my Debian 2.2 system 'man' was installed
suid root. I don't know about Debian 2.3 but,
Debian 2.2 does install 'man' suid root.
Robert van der Meulen wrote:
Hi,
Quoting StyX ([EMAIL PROTECTED]):
styx@SuxOS-devel:~$ man -l %n%n%n%n
man: Segmentation fault
styx@SuxOS-devel:~$
This
On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
I don't know about Suse/Redhat/others.
On RH 7.0 and 6.2 it does not seem to matter as far as the
vulnerability is concerned since
$ man -l %x%x%x%x 21 |head -1
man: invalid option -- l
on both systems.
Also,
$ ls -l
styx@SuxOS-devel:~$ man -l %n%n%n%n
man: Segmentation fault
styx@SuxOS-devel:~$
This was on my Debian 2.2 potato system (It doesn't dump core though).
Just for the record:
on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
this doesn't impose a security
On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
On my Debian 2.2 system 'man' was installed
suid root. I don't know about Debian 2.3 but,
Debian 2.2 does install 'man' suid root.
Are you certain? In Debian stable (2.2, potato), man is installed setgid man.
In Debian unstable and
On Mon, Feb 05, 2001 at 11:17:28PM +0100, Roman Drahtmueller wrote:
SuSE ships the /usr/bin/man command suid man.
After exploiting the man command format string vulnerability, the attacker
can then replace the /usr/bin/man binary with an own program - since the
man command is supposed to
This was on my Debian 2.2 potato system (It doesn't dump core though).
Just for the record:
on a lot of systems (including Debian), 'man' is not suid/sgid anything,
and
this doesn't impose a security problem.
I don't know about Suse/Redhat/others.
SuSE ships the /usr/bin/man command suid
* Darren Moffat [EMAIL PROTECTED] [010205 19:24]:
Exactly what is it that man MUST do to perform the job of turning nroff
man pages into viewable text ?
Given the replies I got that are similar to the one below I should have
been move explicit - I knew this but was trying to hint that it
* Darren Moffat [EMAIL PROTECTED] [010205 19:24]:
Exactly what is it that man MUST do to perform the job of turning nroff
man pages into viewable text ?
It is setuid some user in order to store pre-formatted manpages
around, so that future invocations do not have to format the manpage. It
is
Darren Moffat [EMAIL PROTECTED] writes:
I'm having a hard time working out why the man command is setuid to any
user.
Exactly what is it that man MUST do to perform the job of turning nroff
man pages into viewable text ?
Isn't it an issue with caching that viewable text in catN directories?
Darren Moffat wrote:
I'm having a hard time working out why the man command is setuid to any
user.
Exactly what is it that man MUST do to perform the job of turning nroff
man pages into viewable text ?
Two operations are done where SUID is useful; firstly maintaining the manual
page index
StyX wrote:
Joao Gouveia wrote:
Hi,
This issue has been discussed in vuln-dev (2001-01-26), see:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-27tid=15872
4fromthread=0start=2001-01-21threads=1list=82
Posted also on suse security list, and aparently overlooked.
Hi,
Quoting StyX ([EMAIL PROTECTED]):
styx@SuxOS-devel:~$ man -l %n%n%n%n
man: Segmentation fault
styx@SuxOS-devel:~$
This was on my Debian 2.2 potato system (It doesn't dump core though).
Just for the record:
on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
this
On Sun, 4 Feb 2001, Martin Schulze wrote:
Please tell me what you gain from this. man does not run setuid
root/man but only setgid man. So all you can exploit this to is a
shell running under your ownl user ide.
sucker admins who m4 their sendmail.mc's as root, chiefly if you trick
them
On Sun, 04 Feb 2001 01:48:34 +0100, Robert van der Meulen [EMAIL PROTECTED] said:
Just for the record:
on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
this doesn't impose a security problem.
Although it may not apply to *this* *particular* issue, let's all not
On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
Hi,
Quoting StyX ([EMAIL PROTECTED]):
styx@SuxOS-devel:~$ man -l %n%n%n%n
man: Segmentation fault
styx@SuxOS-devel:~$
This was on my Debian 2.2 potato system (It doesn't dump core though).
Just for the record:
Joao Gouveia wrote:
Hi,
This issue has been discussed in vuln-dev (2001-01-26), see:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-27tid=15872
4fromthread=0start=2001-01-21threads=1list=82
Posted also on suse security list, and aparently overlooked.
The man package
On Wed, Jan 31, 2001 at 02:22:01PM -, Joao Gouveia wrote:
: The man package that ships with SuSe Linux ( at least versions 6.1 throught
: 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
: confirmed to have the same problem.
:
: quote
: jroberto@spike:~ man -l
Hi,
This issue has been discussed in vuln-dev (2001-01-26), see:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-27tid=15872
4fromthread=0start=2001-01-21threads=1list=82
Posted also on suse security list, and aparently overlooked.
Yes, it was overread on [EMAIL
21 matches
Mail list logo