Title: XMan ManPath Environment Variable Buffer Overflow
Severity: MODERATE
Description:
xman is a component included with the XFree86 Window System.
A problem with the software makes it possible to execute arbitrary code. This problem, upon successful exploitation, could lead to a local user gaining administrative access. The problem is due to the ability to overflow a buffer in the code handling the MANPATH environment variable.
Under normal operating conditions, xman displays manual pages found in the MANPATH environment variable. When executed, it first checks the MANPATH environment variable for a listing of directories in which find the man files.
When the MANPATH environment variable is filled with an excessively large string, a buffer overflow can occur. It is possible to fill the MANPATH environment variable with 70000 characters, which results in a buffer overflow. The xman program, as included in most distributions, is SGID man. By filling the environment variable with NOPS, and appending shellcode to it, a local user could execute code with the privileges of the man group. This results in elevated privileges, and the potential ability for a local user to install malicious man pages.
Affected Products:
- MandrakeSoft Linux Mandrake 8.0.0
- XFree86 X11R6 3.3.2
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
