-----BEGIN PGP SIGNED MESSAGE-----



Internet Security Systems Security Advisory

October 4, 2000



GNU Groff utilities read untrusted commands from current working

directory



Synopsis:



Internet Security Systems (ISS) has identified vulnerabilities in several

utilities that ship as part of the Groff document formatting system package.



By default, the "troff" program reads its "troffrc" initialization file from

the current working directory.  From a security standpoint, it would be

desirable to restrict the searchable path for this file to the invoker's

home directory and/or a trusted system. Unfortunately, this could present

problems for programs that depend on the current behavior.



The "groff" program, a front-end for troff, has a similar problem.  It looks

for the appropriate device description file (as given by the -T parameter, or

"ps" by default) using devname/DESC in the current working directory.  The

device description file may contain an optional "postpro" directive, which

defines a command to be run after normal processing. A malicious user could

place a trojan device description file in a world-writable directory

(i.e. /tmp), after which any invocations of groff from that directory are

unsafe.



Impact:



Unsuspecting users, including root, could be coerced into running arbitrary

commands on the system.



The vulnerability is particularly dangerous in Linux distributions that have

the "lesspipe" feature.  By default, a "LESSOPEN" environment variable is set

which points to a wrapper script for the "less" pager program named

"/usr/bin/lesspipe.sh".  If less is passed a filename with any of the

extensions ".1" through ".9", ".n", or ".man", it automatically calls groff

to handle the file.



Description:



Troff is a document processor that ships with most Unix systems.  Among other

functions, it formats system manual pages into human-readable form.  The GNU

Groff package includes "troff", the main processing program, and "groff", a

front-end for troff.  Typically, troff is invoked by groff.



Troff supports a set of potentially dangerous macros: "open", "opena", "pso",

"sy", and "pi", which provide the means to write to files and execute

external commands.  For example, "opena" opens a file for writing in append

mode and "sy" performs a C system() call with the specified argument.



The default in groff is that these dangerous macros are disabled.  This is

accomplished by another macro defined in the file "tmac.safer".  Unless

overridden by the -U (unsafe) flag, the groff program passes troff the

flag "-msafer", which instructs troff to process the tmac.safer macro

before the input file.  However, before troff processes the tmac.safer macro,

it first looks for a "troffrc" initialization file.  If one is found, it

executes the commands found therein first, bypassing the dangerous macro

protection.  As mentioned above, troff looks for this initialization file in

the current directory, creating a potentially dangerous situation.



Groff (speaking of the actual program now, not the package as a whole) is

a front-end for troff.  It supports a variety of devices. For example, the

PostScript device is named "ps" and allows groff to generate output that

is fit to print on PostScript printers. There is a device for HTML, and one

called "ascii" that's used to pretty-print text on typewriter-like devices.



Each device supported by groff has a corresponding directory of the name

"dev", where  is "ps", "ascii", etc.  These directories are

typically installed under some trusted path on the system, i.e., /usr/lib.

The device description file is named "dev/DESC".  Since groff blindly

trusts "DESC" files contained under the current directory hierarchy, an

attacker may be able to fool another user into running any arbitrary

command using the "postpro" directive.



Solar Designer  points out that the aforementioned files

are not alone in the set that may be accessed from the current directory.

Other hard-coded filenames, such as "troffrc-end", could fall within the `.'

search path as well (troffrc-end is loaded after the -msafer macros, though).

In fact, the macro files themselves reference other files that could reside

in the current directory.



Recommendations:



Both administrators and users should exercise caution and not run "groff",

"troff", or even the "man" command from untrusted directories.



Internet Security Systems has not received a response from the current GNU

Groff maintainer. In the interest of accelerating the elimination of these

vulnerabilities, this advisory is being disseminated to the open source

community for public discussion.



Internet Security Systems recognizes that reading from the current directory

is traditional groff/troff behavior, and that in many document-creating

scenarios it is actually a useful `feature'. One possibility could be to not

trust the current directory at all by default, perhaps requiring a special

command line option to revert to the old behavior. At any rate, the fix is

not obvious, as per Solar Designer's analysis.



Note that troff's -R option ("Don't load troffrc") does not eliminate the

problem.



Additional Information:



The dangerous Troff macros were discussed on the BUGTRAQ mailing list in

July, 1999 on a thread under the subject heading of "Troff dangerous".  A

searchable archive of the BUGTRAQ list is at: http://www.securityfocus.com.



The Groff package can be found at the following FTP location:



http://ftp.gnu.org/pub/gnu/groff



The Common Vulnerabilities and Exposures (CVE) project has assigned the name

CAN-2000-0803 to this issue.  This is a candidate for inclusion in the CVE

list (http://cve.mitre.org), which standardizes names for security problems.





Credits:



This vulnerability was discovered and researched by Aaron Campbell and

Allen Wilson of the ISS X-Force. Internet Security Systems would like to

acknowledge Solar Designer for his analysis of this problem.



_______



About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security

management solutions for the Internet. By providing industry-leading

SAFEsuite security software, remote managed security services, and

strategic consulting and education offerings, ISS is a trusted security

provider to its customers, protecting digital assets and ensuring safe

and uninterrupted e-business. ISS' security management solutions protect

more than 5,500 customers worldwide including 21 of the 25 largest U.S.

commercial banks, 10 of the largest telecommunications companies and

over 35 government agencies. Founded in 1994, ISS is headquartered in

Atlanta, GA, with additional offices throughout North America and

international operations in Asia, Australia, Europe, Latin America and

the Middle East. For more information, visit the Internet Security

Systems web site at www.iss.net or call 888-901-7477.



Copyright (c) 2000 by Internet Security Systems, Inc.



Permission is hereby granted for the redistribution of this Alert

electronically. It is not to be edited in any way without express

consent of the X-Force. If you wish to reprint the whole or any part of

this Alert in any other medium excluding electronic medium, please

e-mail xforce@iss.net for permission.



Disclaimer



The information within this paper may change without notice. Use of this

information constitutes acceptance for use in an AS IS condition. There

are NO warranties with regard to this information. In no event shall the

author be liable for any damages whatsoever arising out of or in

connection with the use or spread of this information. Any use of this

information is at the user's own risk.



X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well

as on MIT's PGP key server and PGP.com's key server.



Please send suggestions, updates, and comments to: X-Force

xforce@iss.net of Internet Security Systems, Inc.





-----BEGIN PGP SIGNATURE-----

Version: 2.6.3a

Charset: noconv



iQCVAwUBOdtMgDRfJiV99eG9AQEqXAP8CH24N8b+q0Die6b44NRGEsHe1byU+OKt

VfTRPZMo/Ag8gv/ENSFuXt6B2TFKLEvM7uZlJuKnmAnKtIQIpaFh6J6TXPWki2V3

UghnlMQaIftSBNI/dKaxjMvzjHngNrR8dgrUdJj/I8lRK6UlRJy5U9jeFBXcVuJ6

HwJU3t9ySIo=

=FxuE

-----END PGP SIGNATURE-----