• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Man -S Heap Overflow Vulnerability

Severity: MODERATE

Description:

A heap overflow vulnerability exists in the 'man' system manual pager program.

The vulnerability exists due to a length check error when the -S option is given.

The argument to the -S option is copied into a buffer allocated on the heap using malloc(). Because it is an unbounded copy, any data in the string beyond the length of the malloc'd buffer overwrites neighboring memory. It may be possible for attackers to overwrite the headers of other malloc'd buffers in such a way so that aribtrary addresses are overwritten with attacker-supplied values when free() is called on them. It has been reported that the location in memory that is overwritten must be followed by a null pointer (4 null bytes). It may be possible to replace the last entry in the global offset table with a pointer pointing to shellcode on the stack, which will be executed when the replaced function is called.

As a result, this shellcode will execute with group 'man' privileges. Depending on the system configuration, this may lead to further compromise of the host.

Affected Products:

• Immunix Immunix OS 6.2.0
• Immunix Immunix OS 7.0.0
• Immunix Immunix OS 7.0.0 beta
• RedHat Linux 5.2.0
• RedHat Linux 6.2.0
• RedHat Linux 7.0.0
• RedHat man-1.5f-1.i386.rpm 0.0.0
• RedHat man-1.5h1-1.i386.rpm 0.0.0
• RedHat man-1.5h1-10.i386.rpm 0.0.0
• S.u.S.E. Linux 6.0.0
• S.u.S.E. Linux 6.1.0
• S.u.S.E. Linux 6.2.0
• S.u.S.E. Linux 6.3.0
• S.u.S.E. Linux 6.4.0
• S.u.S.E. Linux 7.0.0
• S.u.S.E. Linux 7.1.0

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.