Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 23 May 1996 12:27:52 +0200
From:      Wolfram Schneider <wosch@campa.panke.de>
To:        security-officer@freebsd.org
Cc:        security@freebsd.org
Subject:   FreeBSD security advisory: FreeBSD-SA-96:11
Message-ID:  <199605231027.MAA00803@campa.panke.de>
In-Reply-To: <199605222020.NAA06596@precipice.shockwave.com>
References:  <199605222020.NAA06596@precipice.shockwave.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

How about set *g*id man(1)? 

$ ls -l /usr/bin/man
 -r-xr-sr-x  1 man  man  28672 May 19 20:38 /usr/bin/man
       ^

and group man writable /usr/share/man/cat*

$ ls -ld /usr/share/man/cat1
drwxrwxr-x  2 man  man  7680 Apr 20 21:53 /usr/share/man/cat1
     ^             ^^^

 
Wolfram

FreeBSD Security Officer writes:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>=============================================================================
>FreeBSD-SA-96:11                                           Security Advisory
>Revised: Wed May 22 00:11:46 PDT 1996                          FreeBSD, Inc.
>
>Topic:         security compromise from man page utility
>
>Category:      core
>Module:                man
>Announced:     1996-05-21
>Affects:       FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current
>Corrected:     2.1-stable and 2.2-current as of 1996-05-21
>FreeBSD only:  yes
>
>Patches:       ftp://freebsd.org/pub/CERT/patches/SA-96:11/
>
>=============================================================================
>
>I.   Background    
>
>     FreeBSD replaced the standard BSD manual page reader with
>     code developed by a third party to support compressed manual
>     pages.  A bug was found in the manual page reader which can
>     allow an unprivileged local user to compromise system security
>     in a limited fashion.  This problem is present in all source
>     code and binary distributions of FreeBSD version 2.x released
>     before 1996-05-21.
>
>
>II.  Problem Description
>
>     The man program is setuid to the "man" user.  By executing a
>     particular sequence of commands, an unprivileged local user
>     may gain the access privileges of the "man" user.  However,
>     root access could be obtained with further work.
>
>
>III. Impact
>
>     The "man" user has no particular special privileges, it is
>     the owner of the /usr/share/man/cat[0-9] directory hierarchy.
>     Unformatted system manual pages are owned by the "bin" user.
>     However, further exploits once "man" is obtained could
>     possibly allow a local user to obtain unlimited access via
>     a trojan horse.
>
>     This vulnerability can only be exploited by users with a valid
>     account on the local system.
[...]

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605231027.MAA00803>