From proff Sat May 25 09:36:12 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id JAA12869 for best-of-security; Sat, 25 May 1996 09:36:12 +1000 Received: from why.cert.org (why.cert.org [192.88.210.60]) by suburbia.net (8.7.4/Proff-950810) with SMTP id FAA02580 for ; Sat, 25 May 1996 05:59:33 +1000 Received: (from cert-advisory@localhost) by why.cert.org (8.6.12/CERT-ecd.1) id PAA11672 for cert-advisory-queue-4; Fri, 24 May 1996 15:21:17 -0400 Date: Fri, 24 May 1996 15:21:17 -0400 Message-Id: <199605241921.PAA11672@why.cert.org> From: CERT Bulletin To: cert-advisory@cert.org Subject: CERT Vendor-Initiated Bulletin VB-96.09 - FreeBSD, Inc. Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 Sender: proff -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Vendor-Initiated Bulletin VB-96.09 May 24, 1996 Topic: Security Compromise from Man Page Utility Source: FreeBSD, Inc. To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from FreeBSD, Inc. FreeBSD, Inc. urges you to act on this information as soon as possible. FreeBSD, Inc. contact information is included in the forwarded text below; please contact them if you have any questions or need further information. =======================FORWARDED TEXT STARTS HERE============================ ============================================================================= FreeBSD-SA-96:11 Security Advisory Revised: Wed May 22 00:11:46 PDT 1996 FreeBSD, Inc. Topic: security compromise from man page utility Category: core Module: man Announced: 1996-05-21 Affects: FreeBSD 2.0, 2.0.5, 2.1, 2.1-stable, and 2.2-current Corrected: 2.1-stable and 2.2-current as of 1996-05-21 FreeBSD only: yes Patches: ftp://freebsd.org/pub/CERT/patches/SA-96:11/ ============================================================================= I. Background FreeBSD replaced the standard BSD manual page reader with code developed by a third party to support compressed manual pages. A bug was found in the manual page reader which can allow an unprivileged local user to compromise system security in a limited fashion. This problem is present in all source code and binary distributions of FreeBSD version 2.x released before 1996-05-21. II. Problem Description The man program is setuid to the "man" user. By executing a particular sequence of commands, an unprivileged local user may gain the access privileges of the "man" user. However, root access could be obtained with further work. III. Impact The "man" user has no particular special privileges, it is the owner of the /usr/share/man/cat[0-9] directory hierarchy. Unformatted system manual pages are owned by the "bin" user. However, further exploits once "man" is obtained could possibly allow a local user to obtain unlimited access via a trojan horse. This vulnerability can only be exploited by users with a valid account on the local system. IV. Workaround One may simply disable the setuid bit on the /usr/bin/man file. This will disable caching of formatted manual pages, no system functionality will be lost. This workaround will suffice for all versions of FreeBSD affected by this problem. As root, execute the command: # chmod u-s /usr/bin/man then verify that the setuid permissions of the files have been removed. The permissions array should read "-r-xr-xr-x" as shown here: # ls -l /usr/bin/man -r-xr-xr-x 1 man bin 28672 May 19 20:38 /usr/bin/man We also suggest applying the following patch to the source distribution so that the man program will not be installed setuid man should you rebuild from sources: *** /usr/src/gnu/usr.bin/man/man/Makefile Sun Feb 25 13:39:52 1996 --- /usr/src/gnu/usr.bin/man/man/Makefile Wed May 22 00:13:05 1996 *************** *** 1,7 **** PROG= man SRCS= man.c manpath.c glob.c - BINMODE=4555 - BINOWN= man .if exists(${.CURDIR}/../lib/obj) LDADD= -L${.CURDIR}/../lib/obj -lman --- 1,5 ---- V. Solution The FreeBSD team is in the process of rewriting portions of the manual program to avoid this and similar vulnerabilities. This security advisory will be updated when a complete solution is available. ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaX7P3VP+x0t4w7BAQG8zAP/cwwleYCEROUCIBHiojVcVC89OiHSsSWX WhPECX/Q8CmNb1yZlaHWzK2WCMCI1tMw47eTLPRRjKXTwYMQWP8b0cYNZh9nx5bp 3kSVI1rpCr2xBJw0OGZJtyT6v5l4NRDX0V7fPvhTQUMdiMneSZ/MPu2/tE2nIEXy N0IW/e6XO2A= =dFBn -----END PGP SIGNATURE-----