Sysadmin Magazine man.sh Arbitrary Command Execution Vulnerability
BID:2276
Info
Sysadmin Magazine man.sh Arbitrary Command Execution Vulnerability
| Bugtraq ID: | 2276 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 16 1998 12:00AM |
| Updated: | May 16 1998 12:00AM |
| Credit: | This vulnerability was announced to Bugtraq by Aleph One <[email protected]> on May 16, 1998, and was originally discovered and announced by Robert Moniot <[email protected]> . |
| Vulnerable: |
SysAdmin Magazine man.sh 1.0 |
| Not Vulnerable: | |
Discussion
Sysadmin Magazine man.sh Arbitrary Command Execution Vulnerability
man.sh is a script that was published in Sysadmin magazine. The purpose of the script is to create .html files from man pages for formatted viewing on the fly.
A problem with the man.sh script however can allow users to remotely execute arbitrary commands. Due to the improper handling of special characters by the script it is possible to force the script to execute arbitrary commands. This problem can make it possible for a user with malicious motives to execute arbitrary commands with the UID and GID of the httpd process, and potentially gain access to the local host.
man.sh is a script that was published in Sysadmin magazine. The purpose of the script is to create .html files from man pages for formatted viewing on the fly.
A problem with the man.sh script however can allow users to remotely execute arbitrary commands. Due to the improper handling of special characters by the script it is possible to force the script to execute arbitrary commands. This problem can make it possible for a user with malicious motives to execute arbitrary commands with the UID and GID of the httpd process, and potentially gain access to the local host.
Solution / Fix
Sysadmin Magazine man.sh Arbitrary Command Execution Vulnerability
Solution:
This fix has been provided by Robert Moniot <[email protected]> :
48,49c48,50
< sub(/\=/, "=\"", x)
< sub(/$/, "\"", x)
---
> gsub(/[^-_=+%a-zA-Z0-9]/, ".", x) # strip out any funny chars
> sub(/\=/, "='"'"'", x) # quote rhs in apostrophes
> sub(/$/, "'"'"'", x)
51,52c52,53
< gsub(/\+/, " ", x)
< print x
---
> gsub(/\+/, " ", x) # change + to space
> if( x ~ /^(man|srch)=/ ) print x
Solution:
This fix has been provided by Robert Moniot <[email protected]> :
48,49c48,50
< sub(/\=/, "=\"", x)
< sub(/$/, "\"", x)
---
> gsub(/[^-_=+%a-zA-Z0-9]/, ".", x) # strip out any funny chars
> sub(/\=/, "='"'"'", x) # quote rhs in apostrophes
> sub(/$/, "'"'"'", x)
51,52c52,53
< gsub(/\+/, " ", x)
< print x
---
> gsub(/\+/, " ", x) # change + to space
> if( x ~ /^(man|srch)=/ ) print x