This exploit leverages a format string vulnerability in the `man` utility (v1.5l and below) by manipulating the NLSPATH/LANG environment variables to execute arbitrary shellcode with elevated privileges (setgid 'man'). The attack involves crafting a malicious catalog file and aligning environment variables to overwrite memory addresses.
Classification
Working Poc 95%
Target:
man v1.5l and below
No auth needed
Prerequisites:
Access to a vulnerable version of `man` · Ability to set environment variables · Write access to the user's home directory