Bugtraq mailing list archives
Re: Linux GNOME exploit
From: sopwith () REDHAT COM (Elliot Lee)
Date: Mon, 27 Sep 1999 14:25:02 -0400
Virtually any program using the GNOME libraries is vulnerable to a buffer overflow attack. The attack comes in the form: /path/to/gnome/prog --enable-sound --espeaker=$80bytebuffer The following exploit should work against any GNOME program, though I tried it on (the irony) /usr/games/nethack, which is SGID root by default on RH6.0. An attack on any program will look something like this:
(a) Red Hat Linux does not come with nethack. (b) I tried specifying a very long argument to --espeaker, and achieved no success in making anything segfault etc. (esound 0.2.14). (c) GNOME is not designed to be used in setuid root programs. There is too much complexity involved to achieve any assurance of security in any GUI program - untrusted input can be supplied by the X server, environment variables, other file descriptors, and command line args, and processed in difficult-to-audit ways. Developers of ALL GUI programs (not just GNOME ones) should use small helper programs to access higher privilege levels. Here are the programs in RH Rawhide gnome-* packages that attain additional privileges when run: -r-xr-s--x root games 67596 Sep 21 15:38 /usr/bin/gnibbles -r-xr-s--x root games 75900 Sep 21 15:38 /usr/bin/gnobots2 -r-xr-s--x root games 52592 Sep 21 15:38 /usr/bin/gnome-stones -r-xr-s--x root games 71424 Sep 21 15:38 /usr/bin/gnomine -r-xr-s--x root games 26036 Sep 21 15:38 /usr/bin/gnotravex -r-xr-s--x root games 234200 Sep 21 15:38 /usr/bin/gtali -r-xr-s--x root games 24156 Sep 21 15:38 /usr/bin/gturing -r-xr-s--x root games 48444 Sep 21 15:38 /usr/bin/iagno -r-xr-s--x root games 38788 Sep 21 15:38 /usr/bin/mahjongg -r-xr-s--x root games 21268 Sep 21 15:38 /usr/bin/same-gnome -rwxr-sr-x root utmp 8600 Sep 23 15:41 /usr/sbin/gnome-pty-helper The gnome games fork a scores helper, then drop this privilege right away. The helper section has been written with security in mind. gnome-pty-helper has been audited. I conclude that any security problems are caused by incorrect installation of third-party software. -- Elliot http://developer.gnome.org/ The first thing a programmer needs to admit is that any program is by far more complex than his own mind. Thats why he partitions it into neat pieces and avoids complexity.
Current thread:
- Linux GNOME exploit Brock Tellier (Sep 23)
- Re: Linux GNOME exploit Alan Cox (Sep 27)
- Re: Linux GNOME exploit Brock Tellier (Sep 27)
- Re: Linux GNOME exploit Matt Wilson (Sep 27)
- Re: Linux GNOME exploit Ron DuFresne (Sep 29)
- Re: Linux GNOME exploit Slackware Security Team (Sep 29)
- Multiple Vendor ARCAD permission problems Brock Tellier (Sep 29)
- Re: Linux GNOME exploit Chmouel Boudjnah (Sep 27)
- <Possible follow-ups>
- Re: Linux GNOME exploit Elliot Lee (Sep 27)
- Re: Linux GNOME exploit Adam Sampson (Sep 28)
- Re: Linux GNOME exploit Thomas Biege (Sep 28)