From owner-freebsd-security Thu May 23 04:52:52 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id EAA06183 for security-outgoing; Thu, 23 May 1996 04:52:52 -0700 (PDT) Received: from mail.cs.tu-berlin.de (root@mail.cs.tu-berlin.de [130.149.17.13]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id EAA06171; Thu, 23 May 1996 04:52:49 -0700 (PDT) Received: from campa.panke.de (anonymous229.ppp.cs.tu-berlin.de [130.149.17.229]) by mail.cs.tu-berlin.de (8.6.12/8.6.12) with ESMTP id NAA05173; Thu, 23 May 1996 13:30:18 +0200 Received: (from wosch@localhost) by campa.panke.de (8.6.12/8.6.12) id MAA00803; Thu, 23 May 1996 12:27:52 +0200 Date: Thu, 23 May 1996 12:27:52 +0200 From: Wolfram Schneider Message-Id: <199605231027.MAA00803@campa.panke.de> To: security-officer@freebsd.org Cc: security@freebsd.org Subject: FreeBSD security advisory: FreeBSD-SA-96:11 In-Reply-To: <199605222020.NAA06596@precipice.shockwave.com> References: <199605222020.NAA06596@precipice.shockwave.com> Reply-to: Wolfram Schneider MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk How about set *g*id man(1)? $ ls -l /usr/bin/man -r-xr-sr-x 1 man man 28672 May 19 20:38 /usr/bin/man ^ and group man writable /usr/share/man/cat* $ ls -ld /usr/share/man/cat1 drwxrwxr-x 2 man man 7680 Apr 20 21:53 /usr/share/man/cat1 ^ ^^^ Wolfram FreeBSD Security Officer writes: > >-----BEGIN PGP SIGNED MESSAGE----- > >============================================================================= >FreeBSD-SA-96:11 Security Advisory >Revised: Wed May 22 00:11:46 PDT 1996 FreeBSD, Inc. > >Topic: security compromise from man page utility > >Category: core >Module: man >Announced: 1996-05-21 >Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current >Corrected: 2.1-stable and 2.2-current as of 1996-05-21 >FreeBSD only: yes > >Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:11/ > >============================================================================= > >I. Background > > FreeBSD replaced the standard BSD manual page reader with > code developed by a third party to support compressed manual > pages. A bug was found in the manual page reader which can > allow an unprivileged local user to compromise system security > in a limited fashion. This problem is present in all source > code and binary distributions of FreeBSD version 2.x released > before 1996-05-21. > > >II. Problem Description > > The man program is setuid to the "man" user. By executing a > particular sequence of commands, an unprivileged local user > may gain the access privileges of the "man" user. However, > root access could be obtained with further work. > > >III. Impact > > The "man" user has no particular special privileges, it is > the owner of the /usr/share/man/cat[0-9] directory hierarchy. > Unformatted system manual pages are owned by the "bin" user. > However, further exploits once "man" is obtained could > possibly allow a local user to obtain unlimited access via > a trojan horse. > > This vulnerability can only be exploited by users with a valid > account on the local system. [...]