Bugtraq mailing list archives
Re: svgalib/zgv
From: dhg () DEC NET (Dave G.)
Date: Sat, 21 Jun 1997 16:21:26 -0700
zgv/svgalib "vulnerability" ? hello, i dont really see where the problem with zgv/svgalib is. There is obviously a buffer overflow with the $HOME environment variable, but all my attemps to exploit this failed: svgalib had well dropped root perms (see below). Any idea ? (i'm using Redhat 3.0.3, 4.0.0, svgalib 1.2.9)From vga_init():... seteuid(getuid()); setgid(getegid()); ...
The problem with changing the effective user id is that on systems with saved user ids, one can change the effective user id back to the saved user id. The test code at the bottom of this message illustrates this.
Sample try: [devel@plaguez]$ uname -a Linux plaguez 2.0.30 #7 Sat Jun 21 09:35:21 MET 1997 i486 [devel@plaguez]$ ls -al /usr/bin/zgv -r-s--x--x 1 root root 87780 Feb 26 1996 /usr/bin/zgv [devel@plaguez]$ ./overflow HOME 1124 0 /usr/bin/zgv bash$
In your shellcode, try adding a setreuid(-1, 0) before you exec the shell. --- begin test code -- /* * compile this, make it setuid root and run it as an ordinary user. * * Dave G. * <dhg () dec net> */ #include <stdio.h> #include <unistd.h> void main() { fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid()); seteuid(getuid()); fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid()); seteuid(0); fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid()); } --- --- David Goldsmith dhg () dec net DEC Consulting http://www.dec.net Software Development/Internet Security KSR[T]
Current thread:
- svgalib/zgv ksrt (Jun 19)
- <Possible follow-ups>
- Re: svgalib/zgv Dave G. (Jun 21)