COMMAND

    Groff

SYSTEMS AFFECTED

    GNU Groff

PROBLEM

    Internet Security Systems (ISS) has identified vulnerabilities  in
    several  utilities  that  ship  as  part  of  the  Groff  document
    formatting system package.

    By default, the "troff" program reads its "troffrc" initialization
    file  from  the  current  working  directory.   From  a   security
    standpoint, it would be desirable to restrict the searchable  path
    for this  file to  the invoker's  home directory  and/or a trusted
    system.  Unfortunately, this  could present problems for  programs
    that depend on the current behavior.

    The "groff" program, a front-end for troff, has a similar problem.
    It looks for the appropriate device description file (as given  by
    the -T parameter,  or "ps" by  default) using devname/DESC  in the
    current  working  directory.   The  device  description  file  may
    contain an optional "postpro"  directive, which defines a  command
    to be run after normal processing.  A malicious user could place a
    trojan device description file in a world-writable directory (i.e.
    /tmp), after which  any invocations of  groff from that  directory
    are unsafe.

    Unsuspecting users, including root, could be coerced into  running
    arbitrary  commands   on  the   system.    The  vulnerability   is
    particularly  dangerous  in  Linux  distributions  that  have  the
    "lesspipe" feature.  By default, a "LESSOPEN" environment variable
    is  set  which  points  to  a  wrapper script for the "less" pager
    program  named  "/usr/bin/lesspipe.sh".   If  less  is  passed   a
    filename with any  of the extensions  ".1" through ".9",  ".n", or
    ".man", it automatically calls groff to handle the file.

    Troff is a document processor  that ships with most Unix  systems.
    Among  other  functions,  it  formats  system  manual  pages  into
    human-readable form.  The GNU Groff package includes "troff",  the
    main  processing  program,  and  "groff",  a  front-end for troff.
    Typically, troff is invoked by groff.

    Troff  supports  a  set  of  potentially dangerous macros: "open",
    "opena", "pso", "sy", and "pi",  which provide the means to  write
    to  files  and  execute  external  commands.  For example, "opena"
    opens a  file for  writing in  append mode  and "sy"  performs a C
    system() call with the specified argument.

    The default in groff is that these dangerous macros are  disabled.
    This  is  accomplished  by  another  macro  defined  in  the  file
    "tmac.safer".   Unless  overridden  by  the  -U (unsafe) flag, the
    groff program  passes troff  the flag  "-msafer", which  instructs
    troff  to  process  the  tmac.safer  macro  before the input file.
    However, before  troff processes  the tmac.safer  macro, it  first
    looks for a  "troffrc" initialization file.   If one is  found, it
    executes the commands found therein first, bypassing the dangerous
    macro  protection.   As  mentioned  above,  troff  looks  for this
    initialization  file   in  the   current  directory,   creating  a
    potentially dangerous situation.

    Groff (speaking of  the actual program  now, not the  package as a
    whole)  is  a  front-end  for  troff.   It  supports  a variety of
    devices.   For example,  the PostScript  device is  named "ps" and
    allows  groff  to  generate  output  that  is  fit  to  print   on
    PostScript printers.  There is  a device for HTML, and  one called
    "ascii"  that's  used  to  pretty-print  text  on  typewriter-like
    devices.

    Each device supported  by groff has  a corresponding directory  of
    the name "dev<name>", where <name>  is "ps", "ascii", etc.   These
    directories are  typically installed  under some  trusted path  on
    the system, i.e., /usr/lib.  The device description file is  named
    "dev<name>/DESC".   Since  groff   blindly  trusts  "DESC"   files
    contained under the current  directory hierarchy, an attacker  may
    be able to  fool another user  into running any  arbitrary command
    using the "postpro" directive.

    Solar Designer points  out that the  aforementioned files are  not
    alone in the set that may be accessed from the current  directory.
    Other  hard-coded  filenames,  such  as  "troffrc-end", could fall
    within the `.'  search path as  well (troffrc-end is  loaded after
    the -msafer macros, though).  In fact, the macro files  themselves
    reference other files that could reside in the current directory.

    This vulnerability was discovered and researched by Aaron Campbell
    and Allen  Wilson of  the ISS  X-Force. Internet  Security Systems
    would  like  to  acknowledge  Solar  Designer  for his analysis of
    this problem.

SOLUTION

    Both administrators and users should exercise caution and not  run
    "groff",  "troff",  or  even  the  "man"  command  from  untrusted
    directories.

    Internet Security  Systems has  not received  a response  from the
    current GNU Groff maintainer.  In the interest of accelerating the
    elimination  of  these  vulnerabilities,  this  advisory  is being
    disseminated to the open source community for public discussion.

    One possibility  could be  to not  trust the  current directory at
    all by default,  perhaps requiring a  special command line  option
    to  revert  to  the  old  behavior.   At  any rate, the fix is not
    obvious, as per Solar Designer's analysis.

    Note  that  troff's  -R  option  ("Don't  load  troffrc") does not
    eliminate the problem.