[12025] in bugtraq
Re: Linux GNOME exploit
daemon@ATHENA.MIT.EDU (Elliot Lee)
Tue Sep 28 14:15:23 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9909271354390.24183-100000@lacrosse.corp.redhat.com>
Date: Mon, 27 Sep 1999 14:25:02 -0400
Reply-To: Elliot Lee <sopwith@REDHAT.COM>
From: Elliot Lee <sopwith@REDHAT.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
> Virtually any program using the GNOME libraries is vulnerable to a
> buffer overflow attack. The attack comes in the form:
>
> /path/to/gnome/prog --enable-sound --espeaker=$80bytebuffer
>
> The following exploit should work against any GNOME program, though I
> tried it on (the irony) /usr/games/nethack, which is SGID root by
> default on RH6.0. An attack on any program will look something like
> this:
(a) Red Hat Linux does not come with nethack.
(b) I tried specifying a very long argument to --espeaker, and achieved
no success in making anything segfault etc. (esound 0.2.14).
(c) GNOME is not designed to be used in setuid root programs. There is
too much complexity involved to achieve any assurance of security
in any GUI program - untrusted input can be supplied by the X server,
environment variables, other file descriptors, and command line args,
and processed in difficult-to-audit ways.
Developers of ALL GUI programs (not just GNOME ones) should
use small helper programs to access higher privilege levels.
Here are the programs in RH Rawhide gnome-* packages that attain
additional privileges when run:
-r-xr-s--x root games 67596 Sep 21 15:38 /usr/bin/gnibbles
-r-xr-s--x root games 75900 Sep 21 15:38 /usr/bin/gnobots2
-r-xr-s--x root games 52592 Sep 21 15:38 /usr/bin/gnome-stones
-r-xr-s--x root games 71424 Sep 21 15:38 /usr/bin/gnomine
-r-xr-s--x root games 26036 Sep 21 15:38 /usr/bin/gnotravex
-r-xr-s--x root games 234200 Sep 21 15:38 /usr/bin/gtali
-r-xr-s--x root games 24156 Sep 21 15:38 /usr/bin/gturing
-r-xr-s--x root games 48444 Sep 21 15:38 /usr/bin/iagno
-r-xr-s--x root games 38788 Sep 21 15:38 /usr/bin/mahjongg
-r-xr-s--x root games 21268 Sep 21 15:38 /usr/bin/same-gnome
-rwxr-sr-x root utmp 8600 Sep 23 15:41 /usr/sbin/gnome-pty-helper
The gnome games fork a scores helper, then drop this privilege right away.
The helper section has been written with security in mind.
gnome-pty-helper has been audited.
I conclude that any security problems are caused by incorrect installation
of third-party software.
-- Elliot http://developer.gnome.org/
The first thing a programmer needs to admit is that any program is by far
more complex than his own mind. Thats why he partitions it into neat
pieces and avoids complexity.
