Date: Thu, 23 May 1996 12:27:52 +0200 From: Wolfram Schneider <wosch@campa.panke.de> To: security-officer@freebsd.org Cc: security@freebsd.org Subject: FreeBSD security advisory: FreeBSD-SA-96:11 Message-ID: <199605231027.MAA00803@campa.panke.de> In-Reply-To: <199605222020.NAA06596@precipice.shockwave.com> References: <199605222020.NAA06596@precipice.shockwave.com>
next in thread | previous in thread | raw e-mail | index | archive | help
How about set *g*id man(1)? $ ls -l /usr/bin/man -r-xr-sr-x 1 man man 28672 May 19 20:38 /usr/bin/man ^ and group man writable /usr/share/man/cat* $ ls -ld /usr/share/man/cat1 drwxrwxr-x 2 man man 7680 Apr 20 21:53 /usr/share/man/cat1 ^ ^^^ Wolfram FreeBSD Security Officer writes: > >-----BEGIN PGP SIGNED MESSAGE----- > >============================================================================= >FreeBSD-SA-96:11 Security Advisory >Revised: Wed May 22 00:11:46 PDT 1996 FreeBSD, Inc. > >Topic: security compromise from man page utility > >Category: core >Module: man >Announced: 1996-05-21 >Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current >Corrected: 2.1-stable and 2.2-current as of 1996-05-21 >FreeBSD only: yes > >Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:11/ > >============================================================================= > >I. Background > > FreeBSD replaced the standard BSD manual page reader with > code developed by a third party to support compressed manual > pages. A bug was found in the manual page reader which can > allow an unprivileged local user to compromise system security > in a limited fashion. This problem is present in all source > code and binary distributions of FreeBSD version 2.x released > before 1996-05-21. > > >II. Problem Description > > The man program is setuid to the "man" user. By executing a > particular sequence of commands, an unprivileged local user > may gain the access privileges of the "man" user. However, > root access could be obtained with further work. > > >III. Impact > > The "man" user has no particular special privileges, it is > the owner of the /usr/share/man/cat[0-9] directory hierarchy. > Unformatted system manual pages are owned by the "bin" user. > However, further exploits once "man" is obtained could > possibly allow a local user to obtain unlimited access via > a trojan horse. > > This vulnerability can only be exploited by users with a valid > account on the local system. [...]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605231027.MAA00803>