Man -S Heap Overflow Vulnerability BugTraq ID: 2711 Remote: No Date Published: 2001-05-13 Relevant URL: http://www.securityfocus.com/bid/2711 Summary: A heap overflow vulnerability exists in the 'man' system manual pager program. The vulnerability exists due to a length check error when the -S option is given. The argument to the -S option is copied into a buffer allocated on the heap using malloc(). Because it is an unbounded copy, any data in the string beyond the length of the malloc'd buffer overwrites neighboring memory. It may be possible for attackers to overwrite the headers of other malloc'd buffers in such a way so that aribtrary addresses are overwritten with attacker-supplied values when free() is called on them. It has been reported that the location in memory that is overwritten must be followed by a null pointer (4 null bytes). It may be possible to replace the last entry in the global offset table with a pointer pointing to shellcode on the stack, which will be executed when the replaced function is called. As a result, this shellcode will execute with group 'man' privileges. Depending on the system configuration, this may lead to further compromise of the host. - Pour poster une annonce: [EMAIL PROTECTED]
