Bugtraq mailing list archives

Re: Linux GNOME exploit

From: sopwith () REDHAT COM (Elliot Lee)
Date: Mon, 27 Sep 1999 14:25:02 -0400

Virtually any program using the GNOME libraries is vulnerable to a
buffer overflow attack.  The attack comes in the form:

/path/to/gnome/prog --enable-sound --espeaker=$80bytebuffer

The following exploit should work against any GNOME program, though I
tried it on (the irony) /usr/games/nethack, which is SGID root by
default on RH6.0.  An attack on any program will look something like
this:


(a) Red Hat Linux does not come with nethack.
(b) I tried specifying a very long argument to --espeaker, and achieved
    no success in making anything segfault etc. (esound 0.2.14).
(c) GNOME is not designed to be used in setuid root programs. There is
    too much complexity involved to achieve any assurance of security
    in any GUI program - untrusted input can be supplied by the X server,
    environment variables, other file descriptors, and command line args,
    and processed in difficult-to-audit ways.

    Developers of ALL GUI programs (not just GNOME ones) should
    use small helper programs to access higher privilege levels.

Here are the programs in RH Rawhide gnome-* packages that attain
additional privileges when run:

-r-xr-s--x     root    games        67596 Sep 21 15:38 /usr/bin/gnibbles
-r-xr-s--x     root    games        75900 Sep 21 15:38 /usr/bin/gnobots2
-r-xr-s--x     root    games        52592 Sep 21 15:38 /usr/bin/gnome-stones
-r-xr-s--x     root    games        71424 Sep 21 15:38 /usr/bin/gnomine
-r-xr-s--x     root    games        26036 Sep 21 15:38 /usr/bin/gnotravex
-r-xr-s--x     root    games       234200 Sep 21 15:38 /usr/bin/gtali
-r-xr-s--x     root    games        24156 Sep 21 15:38 /usr/bin/gturing
-r-xr-s--x     root    games        48444 Sep 21 15:38 /usr/bin/iagno
-r-xr-s--x     root    games        38788 Sep 21 15:38 /usr/bin/mahjongg
-r-xr-s--x     root    games        21268 Sep 21 15:38 /usr/bin/same-gnome
-rwxr-sr-x     root     utmp         8600 Sep 23 15:41 /usr/sbin/gnome-pty-helper

The gnome games fork a scores helper, then drop this privilege right away.
The helper section has been written with security in mind.

gnome-pty-helper has been audited.

I conclude that any security problems are caused by incorrect installation
of third-party software.
-- Elliot                                       http://developer.gnome.org/
The first thing a programmer needs to admit is that any program is by far
more complex than his own mind. Thats why he partitions it into neat
pieces and avoids complexity.

Current thread:

Linux GNOME exploit Brock Tellier (Sep 23)
- Re: Linux GNOME exploit Alan Cox (Sep 27)
- Re: Linux GNOME exploit Brock Tellier (Sep 27)
  - Re: Linux GNOME exploit Matt Wilson (Sep 27)
  - Re: Linux GNOME exploit Ron DuFresne (Sep 29)
    - Re: Linux GNOME exploit Slackware Security Team (Sep 29)
    - Multiple Vendor ARCAD permission problems Brock Tellier (Sep 29)
- Re: Linux GNOME exploit Chmouel Boudjnah (Sep 27)
- <Possible follow-ups>
- Re: Linux GNOME exploit Elliot Lee (Sep 27)
  - Re: Linux GNOME exploit Adam Sampson (Sep 28)
- Re: Linux GNOME exploit Thomas Biege (Sep 28)