Megyer Ur wrote:
> /usr/bin/man is a simple binary, without any suid bit, BUT
> /usr/lib/man-db/man is suid man, and it's vulnerable to man -l
> attack. So anyone can get man uid by exploiting it.
>
> So we can overwrite the /usr/lib/man-db/man binary with any stuff we
> want, and when some user
Martin Schulze <[EMAIL PROTECTED]> writes:
> Please tell me what you gain from this. man does not run setuid root/man
> but only setgid man.
Debian man-db is setuid (not setgid) man[1] in the latest stable and unstable
incarnations.
Getting uid man is not immediate death, but bad enough. Bug 8
Darren Moffat wrote:
> I'm having a hard time working out why the man command is setuid to any
> user.
>
> Exactly what is it that man MUST do to perform the job of turning nroff
> man pages into viewable text ?
Two operations are done where SUID is useful; firstly maintaining the manual
page in
Darren Moffat <[EMAIL PROTECTED]> writes:
> I'm having a hard time working out why the man command is setuid to any
> user.
>
> Exactly what is it that man MUST do to perform the job of turning nroff
> man pages into viewable text ?
Isn't it an issue with caching that viewable text in catN direct
* Darren Moffat <[EMAIL PROTECTED]> [010205 19:24]:
> Exactly what is it that man MUST do to perform the job of turning nroff
> man pages into viewable text ?
It is setuid in order to store pre-formatted manpages
around, so that future invocations do not have to format the manpage. It
is intende
>* Darren Moffat <[EMAIL PROTECTED]> [010205 19:24]:
>> Exactly what is it that man MUST do to perform the job of turning nroff
>> man pages into viewable text ?
Given the replies I got that are similar to the one below I should have
been move explicit - I knew this but was trying to hint that it
>> > This was on my Debian 2.2 potato system (It doesn't dump core though).
>> Just for the record:
>> on a lot of systems (including Debian), 'man' is not suid/sgid anything,
and
>> this doesn't impose a security problem.
>> I don't know about Suse/Redhat/others.
>
>SuSE ships the /usr/bin/man co
On Mon, Feb 05, 2001 at 11:17:28PM +0100, Roman Drahtmueller wrote:
> SuSE ships the /usr/bin/man command suid man.
>
> After exploiting the man command format string vulnerability, the attacker
> can then replace the /usr/bin/man binary with an own program - since the
> man command is supposed
On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.
Are you certain? In Debian stable (2.2, potato), man is installed setgid man.
In Debian unstable and tes
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John <[EMAIL PROTECTED]> writes:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.
graham@lonestar:~$ cat /etc/debian_version
2.2
graham@lonestar:~$ dpkg --listfi
Hi,
On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.
No, this is not true:
$ ls -la /usr/lib/man-db/man
-rwsr-xr-x1 man root82848 Apr 4
On Mon, Feb 05, 2001 at 06:34:47AM -0500, John wrote:
> On my Debian 2.2 system 'man' was installed
> suid root. I don't know about Debian 2.3 but,
> Debian 2.2 does install 'man' suid root.
Debian systems:
---
-rwsr-xr-x1 man root84524 Oct 24 08:11 /usr/lib/man-db/m
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a s
On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
> I don't know about Suse/Redhat/others.
On RH 7.0 and 6.2 it does not seem to matter as far as the
vulnerability is concerned since
$ man -l %x%x%x%x 2>&1 |head -1
man: invalid option -- l
on both systems.
Also,
$ ls -l
On my Debian 2.2 system 'man' was installed
suid root. I don't know about Debian 2.3 but,
Debian 2.2 does install 'man' suid root.
Robert van der Meulen wrote:
>
> Hi,
>
> Quoting StyX ([EMAIL PROTECTED]):
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
Jose Nazario writes:
> On Sun, 4 Feb 2001, Martin Schulze wrote:
>
> > Please tell me what you gain from this. man does not run setuid
> > root/man but only setgid man. So all you can exploit this to is a
> > shell running under your ownl user ide.
>
> sucker admins who m4 their sendmail.
On Sun, Feb 04, 2001 at 01:48:34AM +0100, Robert van der Meulen wrote:
> Hi,
>
> Quoting StyX ([EMAIL PROTECTED]):
> > styx@SuxOS-devel:~$ man -l %n%n%n%n
> > man: Segmentation fault
> > styx@SuxOS-devel:~$
> >
> > This was on my Debian 2.2 potato system (It doesn't dump core though).
> Just for
On Sun, 04 Feb 2001 01:48:34 +0100, Robert van der Meulen <[EMAIL PROTECTED]> said:
> Just for the record:
> on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
> this doesn't impose a security problem.
Although it may not apply to *this* *particular* issue, let's all no
On Sun, 4 Feb 2001, Martin Schulze wrote:
> Please tell me what you gain from this. man does not run setuid
> root/man but only setgid man. So all you can exploit this to is a
> shell running under your ownl user ide.
sucker admins who m4 their sendmail.mc's as root, chiefly if you trick
them
Hi,
Quoting StyX ([EMAIL PROTECTED]):
> styx@SuxOS-devel:~$ man -l %n%n%n%n
> man: Segmentation fault
> styx@SuxOS-devel:~$
>
> This was on my Debian 2.2 potato system (It doesn't dump core though).
Just for the record:
on a lot of systems (including Debian), 'man' is not suid/sgid anything, and
StyX wrote:
> Joao Gouveia wrote:
> >
> > Hi,
> >
> > This issue has been discussed in vuln-dev (2001-01-26), see:
> > http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> > 4&fromthread=0&start=2001-01-21&threads=1&list=82&
> >
> > Posted also on suse security list, and
Joao Gouveia wrote:
>
> Hi,
>
> This issue has been discussed in vuln-dev (2001-01-26), see:
> http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> 4&fromthread=0&start=2001-01-21&threads=1&list=82&
>
> Posted also on suse security list, and aparently overlooked.
>
> The
On Wed, Jan 31, 2001 at 02:22:01PM -, Joao Gouveia wrote:
: The man package that ships with SuSe Linux ( at least versions 6.1 throught
: 7.0 ) has a format string vulnerability. Also debian 2.2r2 ( at least ), is
: confirmed to have the same problem.
:
:
: jroberto@spike:~ > man -l %x%x%x%x
>
> Hi,
>
> This issue has been discussed in vuln-dev (2001-01-26), see:
> http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
> 4&fromthread=0&start=2001-01-21&threads=1&list=82&
>
> Posted also on suse security list, and aparently overlooked.
Yes, it was overread on [EM
Hi,
This issue has been discussed in vuln-dev (2001-01-26), see:
http://www.securityfocus.com/templates/archive.pike?end=2001-01-27&tid=15872
4&fromthread=0&start=2001-01-21&threads=1&list=82&
Posted also on suse security list, and aparently overlooked.
The man package that ships with SuSe Linu
25 matches
Mail list logo