Bugtraq mailing list archives

Re: Linux: exploit for killmouse.

From: im14u2c () cegt201 bradley edu (Joe Zbiciak)
Date: Sat, 14 Dec 1996 20:05:22 -0600


And then Bo went and said something like this:

|Exploit:
|This  can  be  exploited  in  a few similar ways.

SUID shell scripts are bad... but even just non-suid shell scripts
called from SUID programs that don't properly massage their environment
are bad news.

Which reminds me, there's a bigger hole in Doom.  It doesn't drop its
root permissions soon enough!  The user is allowed to set a sound server
in his/her .doomrc.  Normally, this is set to "sndserver".  Howver, this
can be set to *any* program, and that program runs as root!!

Doom, as with any SVGAlib program, should call vga_init() as the first
line of main().  It doesn't, and that's bad.  SVGAlib gets a lot of
bad press because of the suid-root issue, but the real problem rests
in poor coding of the client programs.  I like DOOM, but it's port was
sloppily done.

--Joe

--
                                                :======= Joe Zbiciak =======:
                                                :- - im14u2c () bradley edu - -:
   "Ohm, ohm on the range,                      : - - - - - http: - - - - - :
    where the amps and inductances play..."     ://ee1.bradley.edu/~im14u2c/:
                                                :======= DISCLAIMER: =======:
                                                :---  I could be wrong,  ---:
                                                :======= but I'm not.=======:
(731:835 2:15)

Current thread:

Linux: exploit for killmouse. Bo (Dec 14)
- Re: Linux: exploit for killmouse. Joe Zbiciak (Dec 14)
- vixie-crontab for redhat linux Dave G. (Dec 15)
  - Re: vixie-crontab for redhat linux Erik Troan (Dec 16)