[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Security Compromise from Man Page Utility

Title: Security Compromise from Man Page Utility
Released by: FREEBSD
Date: 21st May 1996
Printable version: Click here

FreeBSD-SA-96:11                                            Security Advisory

Revised: Wed May 22 00:11:46 PDT 1996                           FreeBSD, Inc.

Topic:          security compromise from man page utility

Category:       core

Module:         man

Announced:      1996-05-21

Affects:        FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current

Corrected:      2.1-stable and 2.2-current as of 1996-05-21

FreeBSD only:   yes

Patches:        http://freebsd.org/pub/CERT/patches/SA-96:11/


I.   Background

     FreeBSD replaced the standard BSD manual page reader with

     code developed by a third party to support compressed manual

     pages.  A bug was found in the manual page reader which can

     allow an unprivileged local user to compromise system security

     in a limited fashion.  This problem is present in all source

     code and binary distributions of FreeBSD version 2.x released

     before 1996-05-21.

II.  Problem Description

     The man program is setuid to the "man" user.  By executing a

     particular sequence of commands, an unprivileged local user

     may gain the access privileges of the "man" user.  However,

     root access could be obtained with further work.

III. Impact

     The "man" user has no particular special privileges, it is

     the owner of the /usr/share/man/cat[0-9] directory hierarchy.

     Unformatted system manual pages are owned by the "bin" user.

     However, further exploits once "man" is obtained could

     possibly allow a local user to obtain unlimited access via

     a trojan horse.

     This vulnerability can only be exploited by users with a valid

     account on the local system.

IV. Workaround

     One may simply disable the setuid bit on the /usr/bin/man file.

     This will disable caching of formatted manual pages, no system

     functionality will be lost.  This workaround will suffice for

     all versions of FreeBSD affected by this problem.

     As root, execute the command:

         # chmod u-s /usr/bin/man

     then verify that the setuid permissions of the files have been

     removed.  The permissions array should read "-r-xr-xr-x" as

     shown here:

         # ls -l /usr/bin/man

         -r-xr-xr-x  1 man  bin  28672 May 19 20:38 /usr/bin/man

     We also suggest applying the following patch to the source

     distribution so that the man program will not be installed

     setuid man should you rebuild from sources:

    *** /usr/src/gnu/usr.bin/man/man/Makefile   Sun Feb 25 13:39:52 1996

    --- /usr/src/gnu/usr.bin/man/man/Makefile   Wed May 22 00:13:05 1996


    *** 1,7 ****

      PROG=     man

      SRCS=     man.c manpath.c glob.c

    - BINMODE=4555

    - BINOWN=   man

      .if exists(${.CURDIR}/../lib/obj)

      LDADD=  -L${.CURDIR}/../lib/obj -lman

    --- 1,5 ----

V. Solution

     The FreeBSD team is in the process of rewriting portions of

     the manual program to avoid this and similar vulnerabilities.

     This security advisory will be updated when a complete solution

     is available.


FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/

Confidential contacts:          security-officer@freebsd.org

PGP Key:                        http://freebsd.org/pub/CERT/public_key.asc

Security notifications:         security-notifications@freebsd.org

Security public discussion:     security@freebsd.org

Notice: Any patches in this document may not apply cleanly due to

        modifications caused by digital signature or mailer software.

        Please reference the URL listed at the top of this document

        for original copies of all patches if necessary.


(C) 1999-2000 All rights reserved.