From tim@robbins.dropbear.id.au  Wed Dec 12 23:25:28 2001
Return-Path: <tim@robbins.dropbear.id.au>
Received: from raven.robbins.dropbear.id.au (163.a.011.mel.iprimus.net.au [210.50.216.163])
	by hub.freebsd.org (Postfix) with ESMTP id 036E637B417
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 12 Dec 2001 23:25:26 -0800 (PST)
Received: (from tim@localhost)
	by raven.robbins.dropbear.id.au (8.11.6/8.11.6) id fBD7DiH01449;
	Thu, 13 Dec 2001 18:13:44 +1100 (EST)
	(envelope-from tim)
Message-Id: <200112130713.fBD7DiH01449@raven.robbins.dropbear.id.au>
Date: Thu, 13 Dec 2001 18:13:44 +1100 (EST)
From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Reply-To: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: FreeBSD's man(1) utility vulnerable to old catman attacks
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         32791
>Category:       bin
>Synopsis:       FreeBSD's man(1) utility vulnerable to old catman attacks
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    ru
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Dec 12 23:30:00 PST 2001
>Closed-Date:    Wed Sep 28 16:04:41 GMT 2005
>Last-Modified:  Wed Sep 28 16:04:41 GMT 2005
>Originator:     Tim J. Robbins
>Release:        FreeBSD 4.4-STABLE i386
>Organization:
>Environment:
System: FreeBSD raven.robbins.dropbear.id.au 4.4-STABLE FreeBSD 4.4-STABLE #1: Thu Dec 13 10:57:55 EST 2001 tim@raven.robbins.dropbear.id.au:/usr/obj/usr/src/sys/GENERIC i386


	
>Description:
The catman system of the man(1) utility included with FreeBSD is vulnerable to
a whole bunch of attacks whereby the catpage's contents can be controlled
by an attacker. Discussions of the problem:
http://security-archive.merton.ox.ac.uk/security-audit-199908/
("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups)
http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html
(more problems)

>How-To-Repeat:
There are too many ways to repeat the problem.. here's one:
$ ln -s /usr/share/man/cat1 cat1
$ mkdir man1
$ cd man1
$ cat >ls.1
oops! modified
^D
$ cd ..
$ man -M . ls     
Formatting page, please wait...Done.
oops! modified

>Fix:
Remove the suid(!) bit from /usr/bin/man.
>Release-Note:
>Audit-Trail:

From: Ruslan Ermilov <ru@FreeBSD.org>
To: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Cc: security@FreeBSD.org, bug-followup@FreeBSD.org
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Thu, 13 Dec 2001 15:38:04 +0200

 On Thu, Dec 13, 2001 at 06:13:44PM +1100, Tim J. Robbins wrote:
 > 
 > The catman system of the man(1) utility included with FreeBSD is
 > vulnerable to a whole bunch of attacks whereby the catpage's
 > contents can be controlled by an attacker. Discussions of the
 > problem:
 > http://security-archive.merton.ox.ac.uk/security-audit-199908/
 > ("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups)
 > http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html
 > (more problems)
 > 
 > >How-To-Repeat:
 > There are too many ways to repeat the problem.. here's one:
 > $ ln -s /usr/share/man/cat1 cat1
 > $ mkdir man1
 > $ cd man1
 > $ cat >ls.1
 > oops! modified
 > ^D
 > $ cd ..
 > $ man -M . ls     
 > Formatting page, please wait...Done.
 > oops! modified
 > 
 > >Fix:
 > Remove the suid(!) bit from /usr/bin/man.
 > 
 Unfortunately, removing SUID bit from man(1) is not possible,
 because it is used to create new or update obsolete catpages
 in %manpath%/cat%section% directories which are usually owned
 by the user ``man'', except private user directories.
 
 The below patch doesn't allow man(1) to use its SUID powers
 when the catpage's directory is accessed via symlink.
 
 Index: man.c
 ===================================================================
 RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
 retrieving revision 1.49
 diff -u -p -r1.49 man.c
 --- man.c	2001/09/06 11:54:28	1.49
 +++ man.c	2001/12/13 13:28:42
 @@ -23,6 +23,7 @@
  #include <sys/param.h>
  #include <ctype.h>
  #include <errno.h>
 +#include <libgen.h>
  #ifdef __FreeBSD__
  #include <locale.h>
  #include <langinfo.h>
 @@ -1402,19 +1403,24 @@ format_and_display (path, man_file, cat_
  	    {
  
  #ifdef SETUID
 -	      seteuid(euid);
 -	      found = make_cat_file (path, man_file, cat_file, 1);
 -	      seteuid(ruid);
 -
 -	      if (!found)
 -	        {
 -		  /* Try again as real user - see note below.
 -		     By running with
 -		       effective group (user) ID == real group (user) ID
 -		     except for the call above, I believe the problems
 -		     of reading private man pages is avoided.  */
 -		  found = make_cat_file (path, man_file, cat_file, 0);
 -	        }
 +	      char *cat_dir = dirname(cat_file);
 +	      struct stat sb;
 +	      if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
 +		{
 +		  seteuid(euid);
 +		  found = make_cat_file (path, man_file, cat_file, 1);
 +		  seteuid(ruid);
 +    
 +		  if (!found)
 +		    {
 +		      /* Try again as real user - see note below.
 +			 By running with
 +			   effective group (user) ID == real group (user) ID
 +			 except for the call above, I believe the problems
 +			 of reading private man pages is avoided.  */
 +		      found = make_cat_file (path, man_file, cat_file, 0);
 +		    }
 +		}
  #else
  	      found = make_cat_file (path, man_file, cat_file, 0);
  #endif
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age

From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: "Tim J. Robbins" <tim@robbins.dropbear.id.au>,
	security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Thu, 13 Dec 2001 19:07:13 +0300

 On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote:
 
 > The below patch doesn't allow man(1) to use its SUID powers
 > when the catpage's directory is accessed via symlink.
 
 It breaks private cat pages (symlink check must not present for them)
 
 -- 
 Andrey A. Chernov
 http://ache.pp.ru/

From: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Fri, 14 Dec 2001 11:57:55 +1100

 On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote:
 
 > Unfortunately, removing SUID bit from man(1) is not possible,
 > because it is used to create new or update obsolete catpages
 > in %manpath%/cat%section% directories which are usually owned
 > by the user ``man'', except private user directories.
 
 I think that making man sgid man instead of suid man would be a good
 idea also; I remember Red Hat Linux used this same man utility in version 6.2
 and they had it sgid. If an attacker gained uid man through a flaw in the
 utility, they could plant a trojan horse and wait for root to run it.
 
 I'll check out how it's been done in Redhat and see if I can come up
 with a patch. I don't think this would break anything.
 
 As for the catman issues, I think it's a flaw in the man utility that
 it trusts the user running the command to format the manual pages.
 I can't think of a good way to fix it.
 
 
 Tim

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: "Tim J. Robbins" <tim@robbins.dropbear.id.au>,
	security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Fri, 14 Dec 2001 09:56:19 +0200

 On Thu, Dec 13, 2001 at 07:07:13PM +0300, Andrey A. Chernov wrote:
 > On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote:
 > 
 > > The below patch doesn't allow man(1) to use its SUID powers
 > > when the catpage's directory is accessed via symlink.
 > 
 > It breaks private cat pages (symlink check must not present for them)
 > 
 Oops, right, wrongly placed closing brace:
 
 Index: man.c
 ===================================================================
 RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
 retrieving revision 1.49
 diff -u -p -r1.49 man.c
 --- man.c	2001/09/06 11:54:28	1.49
 +++ man.c	2001/12/14 07:57:03
 @@ -23,6 +23,7 @@
  #include <sys/param.h>
  #include <ctype.h>
  #include <errno.h>
 +#include <libgen.h>
  #ifdef __FreeBSD__
  #include <locale.h>
  #include <langinfo.h>
 @@ -1402,10 +1403,15 @@ format_and_display (path, man_file, cat_
  	    {
  
  #ifdef SETUID
 -	      seteuid(euid);
 -	      found = make_cat_file (path, man_file, cat_file, 1);
 -	      seteuid(ruid);
 -
 +	      char *cat_dir = dirname(cat_file);
 +	      struct stat sb;
 +	      if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
 +		{
 +		  seteuid(euid);
 +		  found = make_cat_file (path, man_file, cat_file, 1);
 +		  seteuid(ruid);
 +		}
 +    
  	      if (!found)
  	        {
  		  /* Try again as real user - see note below.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: "Tim J. Robbins" <tim@robbins.dropbear.id.au>
Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman attacks
Date: Fri, 14 Dec 2001 10:04:00 +0200

 On Fri, Dec 14, 2001 at 11:57:55AM +1100, Tim J. Robbins wrote:
 > On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote:
 > 
 > > Unfortunately, removing SUID bit from man(1) is not possible,
 > > because it is used to create new or update obsolete catpages
 > > in %manpath%/cat%section% directories which are usually owned
 > > by the user ``man'', except private user directories.
 > 
 > I think that making man sgid man instead of suid man would be a good
 > idea also; I remember Red Hat Linux used this same man utility in version 6.2
 > and they had it sgid. If an attacker gained uid man through a flaw in the
 > utility, they could plant a trojan horse and wait for root to run it.
 > 
 > I'll check out how it's been done in Redhat and see if I can come up
 > with a patch. I don't think this would break anything.
 > 
 Our man(1) uses its SUID bit only to write to catpages.
 
 > As for the catman issues, I think it's a flaw in the man utility that
 > it trusts the user running the command to format the manual pages.
 > I can't think of a good way to fix it.
 > 
 Yeah, having in mind the other breakage, that the user is allowed
 to supply his own ${GROFF_TMAC_PATH}, I think it would be a good
 idea to disable this feature of man(1) to create catpages, like
 it's done in OpenBSD and probably NetBSD.  Catpages are optional,
 and if you have enough disk space, you can set MANBUILDCAT=YES
 in your /etc/make.conf, and have ``make world'' build and install
 then for you.  Also, we have a ${weekly_catman_enable} feature in
 periodic.conf(5).  Removing catpaging feature of man(1) would
 allow us to drop its SUIDness completely.
 
 If there are no serious objections, I'm volunteering to do this
 job after a 4.5-RELEASE.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
Responsible-Changed-From-To: freebsd-bugs->ru 
Responsible-Changed-By: ru 
Responsible-Changed-When: Wed Jan 9 02:21:32 PST 2002 
Responsible-Changed-Why:  
I'm working on this. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32791 
State-Changed-From-To: open->feedback 
State-Changed-By: ru 
State-Changed-When: Tue Jan 15 06:11:42 PST 2002 
State-Changed-Why:  
In FreeBSD 5.0-CURRENT, man(1) is no longer installed setuid ``man''. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32791 

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: dwbear75@gmail.com
Cc: "Tim J. Robbins" <tim@robbins.dropbear.id.au>,
	security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman
 attacks
Date: Fri, 14 Dec 2001 09:56:19 +0200

 On Thu, Dec 13, 2001 at 07:07:13PM +0300, Andrey A. Chernov wrote:
 > On Thu, Dec 13, 2001 at 15:38:04 +0200, Ruslan Ermilov wrote:
 > 
 > > The below patch doesn't allow man(1) to use its SUID powers
 > > when the catpage's directory is accessed via symlink.
 > 
 > It breaks private cat pages (symlink check must not present for them)
 > 
 Oops, right, wrongly placed closing brace:
 
 Index: man.c
 ===================================================================
 RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
 retrieving revision 1.49
 diff -u -p -r1.49 man.c
 --- man.c	2001/09/06 11:54:28	1.49
 +++ man.c	2001/12/14 07:57:03
 @@ -23,6 +23,7 @@
  #include <sys/param.h>
  #include <ctype.h>
  #include <errno.h>
 +#include <libgen.h>
  #ifdef __FreeBSD__
  #include <locale.h>
  #include <langinfo.h>
 @@ -1402,10 +1403,15 @@ format_and_display (path, man_file, cat_
  	    {
  
  #ifdef SETUID
 -	      seteuid(euid);
 -	      found = make_cat_file (path, man_file, cat_file, 1);
 -	      seteuid(ruid);
 -
 +	      char *cat_dir = dirname(cat_file);
 +	      struct stat sb;
 +	      if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
 +		{
 +		  seteuid(euid);
 +		  found = make_cat_file (path, man_file, cat_file, 1);
 +		  seteuid(ruid);
 +		}
 +    
  	      if (!found)
  	        {
  		  /* Try again as real user - see note below.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
 To Unsubscribe: send mail to majordomo@FreeBSD.org
 with "unsubscribe freebsd-security" in the body of the message
 

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: dwbear75@gmail.com
Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman
 attacks
Date: Fri, 14 Dec 2001 10:04:00 +0200

 On Fri, Dec 14, 2001 at 11:57:55AM +1100, Tim J. Robbins wrote:
 > On Thu, Dec 13, 2001 at 03:38:04PM +0200, Ruslan Ermilov wrote:
 > 
 > > Unfortunately, removing SUID bit from man(1) is not possible,
 > > because it is used to create new or update obsolete catpages
 > > in %manpath%/cat%section% directories which are usually owned
 > > by the user ``man'', except private user directories.
 > 
 > I think that making man sgid man instead of suid man would be a good
 > idea also; I remember Red Hat Linux used this same man utility in version 6.2
 > and they had it sgid. If an attacker gained uid man through a flaw in the
 > utility, they could plant a trojan horse and wait for root to run it.
 > 
 > I'll check out how it's been done in Redhat and see if I can come up
 > with a patch. I don't think this would break anything.
 > 
 Our man(1) uses its SUID bit only to write to catpages.
 
 > As for the catman issues, I think it's a flaw in the man utility that
 > it trusts the user running the command to format the manual pages.
 > I can't think of a good way to fix it.
 > 
 Yeah, having in mind the other breakage, that the user is allowed
 to supply his own ${GROFF_TMAC_PATH}, I think it would be a good
 idea to disable this feature of man(1) to create catpages, like
 it's done in OpenBSD and probably NetBSD.  Catpages are optional,
 and if you have enough disk space, you can set MANBUILDCAT=YES
 in your /etc/make.conf, and have ``make world'' build and install
 then for you.  Also, we have a ${weekly_catman_enable} feature in
 periodic.conf(5).  Removing catpaging feature of man(1) would
 allow us to drop its SUIDness completely.
 
 If there are no serious objections, I'm volunteering to do this
 job after a 4.5-RELEASE.
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
 To Unsubscribe: send mail to majordomo@FreeBSD.org
 with "unsubscribe freebsd-security" in the body of the message
 

From: Ruslan Ermilov <ru@FreeBSD.ORG>
To: dwbear75@gmail.com
Cc: security@FreeBSD.ORG, bug-followup@FreeBSD.ORG
Subject: Re: bin/32791: FreeBSD's man(1) utility vulnerable to old catman
 attacks
Date: Thu, 13 Dec 2001 15:38:04 +0200

 On Thu, Dec 13, 2001 at 06:13:44PM +1100, Tim J. Robbins wrote:
 > 
 > The catman system of the man(1) utility included with FreeBSD is
 > vulnerable to a whole bunch of attacks whereby the catpage's
 > contents can be controlled by an attacker. Discussions of the
 > problem:
 > http://security-archive.merton.ox.ac.uk/security-audit-199908/
 > ("SGID man", Solar Designer, Sun Aug 01 1999 .. and followups)
 > http://security-archive.merton.ox.ac.uk/security-audit-200010/0022.html
 > (more problems)
 > 
 > >How-To-Repeat:
 > There are too many ways to repeat the problem.. here's one:
 > $ ln -s /usr/share/man/cat1 cat1
 > $ mkdir man1
 > $ cd man1
 > $ cat >ls.1
 > oops! modified
 > ^D
 > $ cd ..
 > $ man -M . ls     
 > Formatting page, please wait...Done.
 > oops! modified
 > 
 > >Fix:
 > Remove the suid(!) bit from /usr/bin/man.
 > 
 Unfortunately, removing SUID bit from man(1) is not possible,
 because it is used to create new or update obsolete catpages
 in %manpath%/cat%section% directories which are usually owned
 by the user ``man'', except private user directories.
 
 The below patch doesn't allow man(1) to use its SUID powers
 when the catpage's directory is accessed via symlink.
 
 Index: man.c
 ===================================================================
 RCS file: /home/ncvs/src/gnu/usr.bin/man/man/man.c,v
 retrieving revision 1.49
 diff -u -p -r1.49 man.c
 --- man.c	2001/09/06 11:54:28	1.49
 +++ man.c	2001/12/13 13:28:42
 @@ -23,6 +23,7 @@
  #include <sys/param.h>
  #include <ctype.h>
  #include <errno.h>
 +#include <libgen.h>
  #ifdef __FreeBSD__
  #include <locale.h>
  #include <langinfo.h>
 @@ -1402,19 +1403,24 @@ format_and_display (path, man_file, cat_
  	    {
  
  #ifdef SETUID
 -	      seteuid(euid);
 -	      found = make_cat_file (path, man_file, cat_file, 1);
 -	      seteuid(ruid);
 -
 -	      if (!found)
 -	        {
 -		  /* Try again as real user - see note below.
 -		     By running with
 -		       effective group (user) ID == real group (user) ID
 -		     except for the call above, I believe the problems
 -		     of reading private man pages is avoided.  */
 -		  found = make_cat_file (path, man_file, cat_file, 0);
 -	        }
 +	      char *cat_dir = dirname(cat_file);
 +	      struct stat sb;
 +	      if (cat_dir != NULL && lstat(cat_dir, &sb) == 0 && S_ISDIR(sb.st_mode))
 +		{
 +		  seteuid(euid);
 +		  found = make_cat_file (path, man_file, cat_file, 1);
 +		  seteuid(ruid);
 +    
 +		  if (!found)
 +		    {
 +		      /* Try again as real user - see note below.
 +			 By running with
 +			   effective group (user) ID == real group (user) ID
 +			 except for the call above, I believe the problems
 +			 of reading private man pages is avoided.  */
 +		      found = make_cat_file (path, man_file, cat_file, 0);
 +		    }
 +		}
  #else
  	      found = make_cat_file (path, man_file, cat_file, 0);
  #endif
 
 
 Cheers,
 -- 
 Ruslan Ermilov		Oracle Developer/DBA,
 ru@sunbay.com		Sunbay Software AG,
 ru@FreeBSD.org		FreeBSD committer,
 +380.652.512.251	Simferopol, Ukraine
 
 http://www.FreeBSD.org	The Power To Serve
 http://www.oracle.com	Enabling The Information Age
 
 To Unsubscribe: send mail to majordomo@FreeBSD.org
 with "unsubscribe freebsd-security" in the body of the message
 
State-Changed-From-To: feedback->closed 
State-Changed-By: ru 
State-Changed-When: Wed Sep 28 15:59:37 GMT 2005 
State-Changed-Why:  
After some years of thinking I decided that trusting the user 
to save formatted catpages is a misfeature.  As such, this PR 
is closed with SETUID code still in the sources but inactive. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=32791 
>Unformatted:
