Date: Wed, 4 Oct 2000 15:51:22 -0700
From: Aleph One aleph1@UNDERGROUND.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ISS Security Advisory: GNU Groff utilities read untrusted
commands from current working directory
Internet Security Systems Security Advisory October 4, 2000
GNU Groff utilities read untrusted commands from current working
directory
Synopsis:
Internet Security Systems (ISS) has identified vulnerabilities
in several utilities that ship as part of the Groff document
formatting system package.
By default, the “troff” program reads its “troffrc”
initialization file from the current working directory. From a
security standpoint, it would be desirable to restrict the
searchable path for this file to the invoker’s home directory
and/or a trusted system. Unfortunately, this could present problems
for programs that depend on the current behavior.
The “groff” program, a front-end for troff, has a similar
problem. It looks for the appropriate device description file (as
given by the -T parameter, or “ps” by default) using devname/DESC
in the current working directory. The device description file may
contain an optional “postpro” directive, which defines a command to
be run after normal processing. A malicious user could place a
trojan device description file in a world-writable directory (i.e.
/tmp), after which any invocations of groff from that directory are
unsafe.
Impact:
Unsuspecting users, including root, could be coerced into
running arbitrary commands on the system.
The vulnerability is particularly dangerous in Linux
distributions that have the “lesspipe” feature. By default, a
“LESSOPEN” environment variable is set which points to a wrapper
script for the “less” pager program named “/usr/bin/lesspipe.sh”.
If less is passed a filename with any of the extensions “.1”
through “.9”, “.n”, or “.man”, it automatically calls groff to
handle the file.
Description:
Troff is a document processor that ships with most Unix systems.
Among other functions, it formats system manual pages into
human-readable form. The GNU Groff package includes “troff”, the
main processing program, and “groff”, a front-end for troff.
Typically, troff is invoked by groff.
Troff supports a set of potentially dangerous macros: “open”,
“opena”, “pso”, “sy”, and “pi”, which provide the means to write to
files and execute external commands. For example, “opena” opens a
file for writing in append mode and “sy” performs a C system() call
with the specified argument.
The default in groff is that these dangerous macros are
disabled. This is accomplished by another macro defined in the file
“tmac.safer”. Unless overridden by the -U (unsafe) flag, the groff
program passes troff the flag “-msafer”, which instructs troff to
process the tmac.safer macro before the input file. However, before
troff processes the tmac.safer macro, it first looks for a
“troffrc” initialization file. If one is found, it executes the
commands found therein first, bypassing the dangerous macro
protection. As mentioned above, troff looks for this initialization
file in the current directory, creating a potentially dangerous
situation.
Groff (speaking of the actual program now, not the package as a
whole) is a front-end for troff. It supports a variety of devices.
For example, the PostScript device is named “ps” and allows groff
to generate output that is fit to print on PostScript printers.
There is a device for HTML, and one called “ascii” that’s used to
pretty-print text on typewriter-like devices.
Each device supported by groff has a corresponding directory of
the name “dev”, where is “ps”, “ascii”, etc. These directories are
typically installed under some trusted path on the system, i.e.,
/usr/lib. The device description file is named “dev/DESC”. Since
groff blindly trusts “DESC” files contained under the current
directory hierarchy, an attacker may be able to fool another user
into running any arbitrary command using the “postpro”
directive.
Solar Designer points out that the aforementioned files are not
alone in the set that may be accessed from the current directory.
Other hard-coded filenames, such as “troffrc-end”, could fall
within the `.’ search path as well (troffrc-end is loaded after the
-msafer macros, though). In fact, the macro files themselves
reference other files that could reside in the current
directory.
Recommendations:
Both administrators and users should exercise caution and not
run “groff”, “troff”, or even the “man” command from untrusted
directories.
Internet Security Systems has not received a response from the
current GNU Groff maintainer. In the interest of accelerating the
elimination of these vulnerabilities, this advisory is being
disseminated to the open source community for public
discussion.
Internet Security Systems recognizes that reading from the
current directory is traditional groff/troff behavior, and that in
many document-creating scenarios it is actually a useful `feature’.
One possibility could be to not trust the current directory at all
by default, perhaps requiring a special command line option to
revert to the old behavior. At any rate, the fix is not obvious, as
per Solar Designer’s analysis.
Note that troff’s -R option (“Don’t load troffrc”) does not
eliminate the problem.
Additional Information:
The dangerous Troff macros were discussed on the BUGTRAQ mailing
list in July, 1999 on a thread under the subject heading of “Troff
dangerous”. A searchable archive of the BUGTRAQ list is at:
http://www.securityfocus.com.
The Groff package can be found at the following FTP
location:
ftp://ftp.gnu.org/pub/gnu/groff
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2000-0803 to this issue. This is a candidate
for inclusion in the CVE list (http://cve.mitre.org) which standardizes
names for security problems.
Credits:
This vulnerability was discovered and researched by Aaron
Campbell and Allen Wilson of the ISS X-Force. Internet Security
Systems would like to acknowledge Solar Designer for his analysis
of this problem.
_______
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of
security management solutions for the Internet. By providing
industry-leading SAFEsuite security software, remote managed
security services, and strategic consulting and education
offerings, ISS is a trusted security provider to its customers,
protecting digital assets and ensuring safe and uninterrupted
e-business. ISS’ security management solutions protect more than
5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies
and over 35 government agencies. Founded in 1994, ISS is
headquartered in Atlanta, GA, with additional offices throughout
North America and international operations in Asia, Australia,
Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this
Alert electronically. It is not to be edited in any way without
express consent of the X-Force. If you wish to reprint the whole or
any part of this Alert in any other medium excluding electronic
medium, please e-mail xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user’s own
risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT’s PGP key server and PGP.com’s key server.
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet
Security Systems, Inc.