Date: Thu, 13 Dec 2001 18:13:44 +1100 (EST) From: "Tim J. Robbins" <tim@robbins.dropbear.id.au> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks Message-ID: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au>
next in thread | raw e-mail | index | archive | help
>Number: 32791 >Category: bin >Synopsis: FreeBSD's man(1) utility vulnerable to old catman attacks >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 12 23:30:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: Tim J. Robbins >Release: FreeBSD 4.4-STABLE i386 >Organization: >Environment: System: FreeBSD raven.robbins.dropbear.id.au 4.4-STABLE FreeBSD 4.4-STABLE #1: Thu Dec 13 10:57:55 EST 2001 tim@raven.robbins.dropbear.id.au:/usr/obj/usr/src/sys/GENERIC i386 >Description: The catman system of the man(1) utility included with FreeBSD is vulnerable to a whole bunch of attacks whereby the catpage's contents can be controlled by an attacker. Discussions of the problem: http://security-archive.merton.ox.ac.uk/security-audit-199908/ ("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups) http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html (more problems) >How-To-Repeat: There are too many ways to repeat the problem.. here's one: $ ln -s /usr/share/man/cat1 cat1 $ mkdir man1 $ cd man1 $ cat >ls.1 oops! modified ^D $ cd .. $ man -M . ls Formatting page, please wait...Done. oops! modified >Fix: Remove the suid(!) bit from /usr/bin/man. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112130713.fBD7DiH01449>