SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Man Vendors:   Red Hat
Red Hat's Man Utility Allows Local Users to Obtain Additional Group Privileges
SecurityTracker Alert ID:  1001528
SecurityTracker URL:  http://securitytracker.com/id/1001528
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  May 16 2001
Original Entry Date:  May 14 2001
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): redhat 7.0 with man-1.5h1-10 (default package) and earlier.
Description:   A vulnerability was reported in Red Hat's version of the "man" online manual display utility that allows local users to obtain the man group ID (gid) privileges.

It is reported that there is a heap-based overflow in man that can be triggered via the -S option. The cause is reportedly a slight error in a length check. This allows a local user to cause a buffer overflow on the heap and redirect execution into user supplied code.

The following command will cause a segmentation fault if your system is vulnerable:

man -S `perl -e 'print ":" x 100'`

The vendor has reportedly been contacted.
Impact:   A local user can obtain the man group ID (gid) privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.redhat.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Red Hat Linux)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Red Hat Releases Fix) Re: Red Hat's Man Utility Allows Local Users to Obtain Additional Group Privileges   (bugzilla@redhat.com)
Red Hat has released a fix. See the Source Message for details
(SuSE Issues Fix) Re: Red Hat's Man Utility Allows Local Users to Obtain Additional Group Privileges   (Roman Drahtmueller <draht@suse.de>)
SuSE has issued a fix.
(Immunix Releases Fix) Re: Red Hat's Man Utility Allows Local Users to Obtain Additional Group Privileges   (Immunix Security Team <security@wirex.com>)
Immunix has released a fix.
(Red Hat Issues Update Fix) Red Hat's Man Utility Allows Local Users to Obtain Additional Group Privileges   (bugzilla@redhat.com)
The vendor has released a revised fix.


 Source Message Contents
Date:  13 May 2001 20:07:34 -0000
Subject:  RH7.0: man local gid 15 (man) exploit


========================================================
Vulnerable systems: redhat 7.0 with man-1.5h1-10 (default
package) and earlier.
=========================================================
Heap Based Overflow of man via -S option gives GID man.

Due to a slight error in a length check, the -S option to
man can cause a buffer overflow on the heap, allowing redirection of execution into user supplied code.

man -S `perl -e 'print ":" x 100'`

Will cause a seg fault if you are vulnerable.

It is possible to insert a pointer into a linked list that
will allow overwriting of any value in memory that is followed by 4 null characters (a null pointer). one such
memory location is the last entry on the GOT (global offset table). When another item is added to the linked list, the address of
 the data (a filename) is inserted over the last value, effectively redefining the function
to the code represented by the filename.

Putting shellcode in the filename allows execution of arbitrary code when the function referred to is called.

Redhat have be contacted, and will be releasing an errata soon.

--zen-parse

GID man allows a race condition for root via
/etc/cron.daily/makewhatis and /sbin/makwhatis

Sign up for your FREE E-MAIL account @ Dynamitemail:
http://www.dynamitemail.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC