Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Overflow in zgv-4.1?

From: pb () INSECURITY NET (Paul Boehm)
Date: Fri, 9 Oct 1998 14:58:50 +0200

On Thu, Oct 08, 1998 at 12:08:13AM -0500, onix wrote:

Possible security risk in setuid zgv 4.1 which may lead to local root
comprimise.  zgv is installed setuid root by default.

--snip--

i found this overrun some months ago and even tried to exploit it...
all i got was a shell with MY uid... then i posted it to the security
auditing mailinglist and Alan Cox pointed out that vga_init() drops
root privileges.. all you can gain from this overrun is video display access.

for the whole thread check out the secau mailinglist archives at
   http://science.nas.nasa.gov/Pubs/Mail/archive/linux-security-audit/
or http://www2.merton.ox.ac.uk/~security/

bye,
    paul

PS: you can also overflow zgv using an overlong HOME enviroment variable.

--
.----------------------------------------------------------------------.
| mail: pb () insecurity net   :: url: http://paul.boehm.org               |
| irc:  infected            :: pgp: finger pb () insecurity net | pgp -fka |
 \.....Linux is like a wigwam - no windows, no gates, apache inside..../
Previous By Date Next
Previous By Thread Next

Current thread: