Bugtraq mailing list archives
Re: Overflow in zgv-4.1?
From: pb () INSECURITY NET (Paul Boehm)
Date: Fri, 9 Oct 1998 14:58:50 +0200
On Thu, Oct 08, 1998 at 12:08:13AM -0500, onix wrote:
Possible security risk in setuid zgv 4.1 which may lead to local root comprimise. zgv is installed setuid root by default.
--snip-- i found this overrun some months ago and even tried to exploit it... all i got was a shell with MY uid... then i posted it to the security auditing mailinglist and Alan Cox pointed out that vga_init() drops root privileges.. all you can gain from this overrun is video display access. for the whole thread check out the secau mailinglist archives at http://science.nas.nasa.gov/Pubs/Mail/archive/linux-security-audit/ or http://www2.merton.ox.ac.uk/~security/ bye, paul PS: you can also overflow zgv using an overlong HOME enviroment variable. -- .----------------------------------------------------------------------. | mail: pb () insecurity net :: url: http://paul.boehm.org | | irc: infected :: pgp: finger pb () insecurity net | pgp -fka | \.....Linux is like a wigwam - no windows, no gates, apache inside..../
Current thread:
- linux 2.0.35 ip aliasing with aliased hwaddr Mike Baker (Oct 06)
- Re: linux 2.0.35 ip aliasing with aliased hwaddr Oliver Friedrichs (Oct 06)
- Redhat man exploit Neil Trobaugh (Oct 07)
- Re: Redhat man exploit Scott Stone (Oct 08)
- Computer Security Day (DISC 98) in Mexico Area de Seguridad en Computo (Oct 12)
- Re: Redhat man exploit Mike (Oct 12)
- Possible login name leak on SunOS 5.6 Pete Krawczyk (Oct 12)
- Re: Redhat man exploit John Brahy (Oct 09)
- Redhat man exploit Neil Trobaugh (Oct 07)
- Overflow in zgv-4.1? onix (Oct 07)
- Re: Overflow in zgv-4.1? Paul Boehm (Oct 09)
- The Cuartango Security Hole in IE4 Aleph One (Oct 12)
- SCO Openserver 5.0.5 syn-floodable Eric (Oct 08)
- Re: linux 2.0.35 ip aliasing with aliased hwaddr pedward () WEBCOM COM (Oct 08)
- more Netscape 4.07 javascript security Max Vision (Oct 08)
- Re: more Netscape 4.07 javascript security Peter W (Oct 11)
- Another Netscape 4.07 cache reading bug Georgi Guninski (Oct 08)
- Re: Another Netscape 4.07 cache reading bug Ken Williams (Oct 08)
- Re: linux 2.0.35 ip aliasing with aliased hwaddr Oliver Friedrichs (Oct 06)