Title: Linux Man Malicious Cache File Creation Vulnerability
Severity: MODERATE
Description:
When a system manual page is viewed, the man program creates a cache file containing information relevant to the current state of the manual page system and the information stored within that page, to enhance the speed of subsequent lookups.
It is possible for local users to cause man to cache files from outside of the configured manual page hierarchy search path.
Most man implementations offer the user the ability to specify a custom directory from which to locate and load man pages. This user-specified man directory can also contain the cache directory, which will be used if it exists.
The vulnerability in the Linux implementation of man is that when the desired manpage (from a user-controlled man directory) is loaded, the cached version is created without first dropping privileges. Another issue is that man follows symbolic links as cache directories.
It is therefore possible to have man create a cache file as group 'man' in the system cache directory. This would be accomplished by creating the 'user controlled' cache directory as a symbolic link pointing to the system cache directory. When the man page (from the user-supplied area) is viewed, a cache is created in the directory pointed to by the symbolic link with group 'man' privileges -- the system cache directory.
Combined with the behaviours of 'man' and 'mandb' or any other utilities which trust cache filenames, it may be possible to use this vulnerability to elevate privileges. See the attack scenarios section.
Affected Products:
- Debian Linux 2.1.0
- Debian Linux 2.2.0
- RedHat Linux 6.1.0
- RedHat Linux 6.2.0
- RedHat Linux 7.0.0
- RedHat Linux 7.1.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
