||Home : Advisories : GNU Groff utilities read untrusted commands from current working directory|
||GNU Groff utilities read untrusted commands from current working directory
||4th October 2000
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Advisory
October 4, 2000
GNU Groff utilities read untrusted commands from current working
Internet Security Systems (ISS) has identified vulnerabilities in several
utilities that ship as part of the Groff document formatting system package.
By default, the "troff" program reads its "troffrc" initialization file from
the current working directory. From a security standpoint, it would be
desirable to restrict the searchable path for this file to the invoker's
home directory and/or a trusted system. Unfortunately, this could present
problems for programs that depend on the current behavior.
The "groff" program, a front-end for troff, has a similar problem. It looks
for the appropriate device description file (as given by the -T parameter, or
"ps" by default) using devname/DESC in the current working directory. The
device description file may contain an optional "postpro" directive, which
defines a command to be run after normal processing. A malicious user could
place a trojan device description file in a world-writable directory
(i.e. /tmp), after which any invocations of groff from that directory are
Unsuspecting users, including root, could be coerced into running arbitrary
commands on the system.
The vulnerability is particularly dangerous in Linux distributions that have
the "lesspipe" feature. By default, a "LESSOPEN" environment variable is set
which points to a wrapper script for the "less" pager program named
"/usr/bin/lesspipe.sh". If less is passed a filename with any of the
extensions ".1" through ".9", ".n", or ".man", it automatically calls groff
to handle the file.
Troff is a document processor that ships with most Unix systems. Among other
functions, it formats system manual pages into human-readable form. The GNU
Groff package includes "troff", the main processing program, and "groff", a
front-end for troff. Typically, troff is invoked by groff.
Troff supports a set of potentially dangerous macros: "open", "opena", "pso",
"sy", and "pi", which provide the means to write to files and execute
external commands. For example, "opena" opens a file for writing in append
mode and "sy" performs a C system() call with the specified argument.
The default in groff is that these dangerous macros are disabled. This is
accomplished by another macro defined in the file "tmac.safer". Unless
overridden by the -U (unsafe) flag, the groff program passes troff the
flag "-msafer", which instructs troff to process the tmac.safer macro
before the input file. However, before troff processes the tmac.safer macro,
it first looks for a "troffrc" initialization file. If one is found, it
executes the commands found therein first, bypassing the dangerous macro
protection. As mentioned above, troff looks for this initialization file in
the current directory, creating a potentially dangerous situation.
Groff (speaking of the actual program now, not the package as a whole) is
a front-end for troff. It supports a variety of devices. For example, the
PostScript device is named "ps" and allows groff to generate output that
is fit to print on PostScript printers. There is a device for HTML, and one
called "ascii" that's used to pretty-print text on typewriter-like devices.
Each device supported by groff has a corresponding directory of the name
"dev", where is "ps", "ascii", etc. These directories are
typically installed under some trusted path on the system, i.e., /usr/lib.
The device description file is named "dev/DESC". Since groff blindly
trusts "DESC" files contained under the current directory hierarchy, an
attacker may be able to fool another user into running any arbitrary
command using the "postpro" directive.
Solar Designer points out that the aforementioned files
are not alone in the set that may be accessed from the current directory.
Other hard-coded filenames, such as "troffrc-end", could fall within the `.'
search path as well (troffrc-end is loaded after the -msafer macros, though).
In fact, the macro files themselves reference other files that could reside
in the current directory.
Both administrators and users should exercise caution and not run "groff",
"troff", or even the "man" command from untrusted directories.
Internet Security Systems has not received a response from the current GNU
Groff maintainer. In the interest of accelerating the elimination of these
vulnerabilities, this advisory is being disseminated to the open source
community for public discussion.
Internet Security Systems recognizes that reading from the current directory
is traditional groff/troff behavior, and that in many document-creating
scenarios it is actually a useful `feature'. One possibility could be to not
trust the current directory at all by default, perhaps requiring a special
command line option to revert to the old behavior. At any rate, the fix is
not obvious, as per Solar Designer's analysis.
Note that troff's -R option ("Don't load troffrc") does not eliminate the
The dangerous Troff macros were discussed on the BUGTRAQ mailing list in
July, 1999 on a thread under the subject heading of "Troff dangerous". A
searchable archive of the BUGTRAQ list is at: http://www.securityfocus.com.
The Groff package can be found at the following FTP location:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0803 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.
This vulnerability was discovered and researched by Aaron Campbell and
Allen Wilson of the ISS X-Force. Internet Security Systems would like to
acknowledge Solar Designer for his analysis of this problem.
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail firstname.lastname@example.org for permission.
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
email@example.com of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----