May 30, 2001

SuSE: 'man' format string and other vulnerabilities

Author: JT Smith

From Two vulnerabilities have been found in the man package that is installed
by default in all SuSE Linux distributions. The first error is a format
string bug in the error handling routine of the man command that can
allow a local attacker to gain the privileges of the user "man" on SuSE
Linux systems (the man command in /usr/bin is installed setuid man).
After getting write access to the /usr/bin/man binary, an attacker can
place a cuckook's egg into the executable, waiting for root to view
The second problem is a segmentation fault that can be caused by the
options "-S ::: foo" to the man command. On other Linux distributions,
this problem has been found exploitable.


  • Linux
Click Here!