Groff/troff security exposure
I have just read a security announcement sent by ISSalert regarding groff
manipulation that can lead to a security compromise (available at
The problem is that both troff and groff read files in the working directory
which can spin off commands in behalf of the user. This can be very sensible if
the one running a 'man' command is root since the whole system is exposed.
For in depth information refer to the link above, I have tested an exploit in
Debian GNU/Linux 2.2 and works as expected.
1.- groff attack
Reason: Groff will read any "devXX" directory available at the local dir and
process 'postpro' commands execv'ing them.
Test: Put a 'devlatin1' copy of /usr/share/groff/font/devlatin1/ files in the
/tmp dir, edit the DESC file to include (at the end):
Now put your favourite exploit in /tmp/exploit (for example add a new user to
/etc/passwd and /etc/shadow)
Then run 'groff -Tlatin1 ls.1' in /tmp as root. See what happens
2.- troff attack
Reason: troff will read any 'troffrc' file in the current dir
Test: put a troffrc file in the /tmp dir, check the troff manpage to see what it
can do. For example:
.opena passwds /etc/passwd
.write passwds guest:x:10000:10000::/:/bin/sh
.opena passwds /etc/shadow
.write passwds guest:AqualifiedHashPsswd:11215:0:99999:7:::
And run 'troff *anyfile*'
Check /etc/passwd :)
Now, this will not exactly work when doing 'man' since it will
1.- set its directory to where $MANPATH or where /etc/manpath.config points to
2.- change euid to 'man'.
However, man is not the only system that uses groff. I've checked package
dependencies and, for example: gnosamba (configuration utility for Samba that
will surely run as root since it has to change /etc/samba) and a2ps *do* use
I have not checked their sources on how could this be exploited, but if they
have not be carefully coded to check this situation (like man is).
My suggestion: groff and troff should *not* extend their paths to current
directory, *or* should not allow processing files from different users if owner
is root (to avoid a root compromise).
Javier Fernández-Sanguino Peña
Debian GNU/Linux developer
tel;fax:+34-91 806 46 41
tel;work:+34-91 806 46 40
org:SGI-GMV sistemas;Seguridad Lógica
adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
fn:Javier Fernández-Sanguino Peña