Internet Security Systems Security Advisory: GNU Groff utilitiesOct 05, 2000, 00:09 (1 Talkback[s])
Date: Wed, 4 Oct 2000 15:51:22 -0700
Internet Security Systems Security Advisory October 4, 2000
GNU Groff utilities read untrusted commands from current working directory
Internet Security Systems (ISS) has identified vulnerabilities in several utilities that ship as part of the Groff document formatting system package.
By default, the "troff" program reads its "troffrc" initialization file from the current working directory. From a security standpoint, it would be desirable to restrict the searchable path for this file to the invoker's home directory and/or a trusted system. Unfortunately, this could present problems for programs that depend on the current behavior.
The "groff" program, a front-end for troff, has a similar problem. It looks for the appropriate device description file (as given by the -T parameter, or "ps" by default) using devname/DESC in the current working directory. The device description file may contain an optional "postpro" directive, which defines a command to be run after normal processing. A malicious user could place a trojan device description file in a world-writable directory (i.e. /tmp), after which any invocations of groff from that directory are unsafe.
Unsuspecting users, including root, could be coerced into running arbitrary commands on the system.
The vulnerability is particularly dangerous in Linux distributions that have the "lesspipe" feature. By default, a "LESSOPEN" environment variable is set which points to a wrapper script for the "less" pager program named "/usr/bin/lesspipe.sh". If less is passed a filename with any of the extensions ".1" through ".9", ".n", or ".man", it automatically calls groff to handle the file.
Troff is a document processor that ships with most Unix systems. Among other functions, it formats system manual pages into human-readable form. The GNU Groff package includes "troff", the main processing program, and "groff", a front-end for troff. Typically, troff is invoked by groff.
Troff supports a set of potentially dangerous macros: "open", "opena", "pso", "sy", and "pi", which provide the means to write to files and execute external commands. For example, "opena" opens a file for writing in append mode and "sy" performs a C system() call with the specified argument.
The default in groff is that these dangerous macros are disabled. This is accomplished by another macro defined in the file "tmac.safer". Unless overridden by the -U (unsafe) flag, the groff program passes troff the flag "-msafer", which instructs troff to process the tmac.safer macro before the input file. However, before troff processes the tmac.safer macro, it first looks for a "troffrc" initialization file. If one is found, it executes the commands found therein first, bypassing the dangerous macro protection. As mentioned above, troff looks for this initialization file in the current directory, creating a potentially dangerous situation.
Groff (speaking of the actual program now, not the package as a whole) is a front-end for troff. It supports a variety of devices. For example, the PostScript device is named "ps" and allows groff to generate output that is fit to print on PostScript printers. There is a device for HTML, and one called "ascii" that's used to pretty-print text on typewriter-like devices.
Each device supported by groff has a corresponding directory of the name "dev", where is "ps", "ascii", etc. These directories are typically installed under some trusted path on the system, i.e., /usr/lib. The device description file is named "dev/DESC". Since groff blindly trusts "DESC" files contained under the current directory hierarchy, an attacker may be able to fool another user into running any arbitrary command using the "postpro" directive.
Solar Designer points out that the aforementioned files are not alone in the set that may be accessed from the current directory. Other hard-coded filenames, such as "troffrc-end", could fall within the `.' search path as well (troffrc-end is loaded after the -msafer macros, though). In fact, the macro files themselves reference other files that could reside in the current directory.
Both administrators and users should exercise caution and not run "groff", "troff", or even the "man" command from untrusted directories.
Internet Security Systems has not received a response from the current GNU Groff maintainer. In the interest of accelerating the elimination of these vulnerabilities, this advisory is being disseminated to the open source community for public discussion.
Internet Security Systems recognizes that reading from the current directory is traditional groff/troff behavior, and that in many document-creating scenarios it is actually a useful `feature'. One possibility could be to not trust the current directory at all by default, perhaps requiring a special command line option to revert to the old behavior. At any rate, the fix is not obvious, as per Solar Designer's analysis.
Note that troff's -R option ("Don't load troffrc") does not eliminate the problem.
The dangerous Troff macros were discussed on the BUGTRAQ mailing list in July, 1999 on a thread under the subject heading of "Troff dangerous". A searchable archive of the BUGTRAQ list is at: http://www.securityfocus.com.
The Groff package can be found at the following FTP location:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0803 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org) which standardizes names for security problems.
This vulnerability was discovered and researched by Aaron Campbell and Allen Wilson of the ISS X-Force. Internet Security Systems would like to acknowledge Solar Designer for his analysis of this problem.
About Internet Security Systems (ISS)
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail firstname.lastname@example.org for permission.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force email@example.com of Internet Security Systems, Inc.