[12072] in bugtraq
Re: Linux GNOME exploit
daemon@ATHENA.MIT.EDU (Adam Sampson)
Thu Sep 30 14:37:10 1999
Mail-Followup-To: BUGTRAQ@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990928214452.E3139@gnu.org>
Date: Tue, 28 Sep 1999 21:44:52 +0100
Reply-To: azz@gnu.org
From: Adam Sampson <azz@GNU.ORG>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9909271354390.24183-100000@lacrosse.corp.redhat.com>
On Mon, Sep 27, 1999 at 02:25:02PM -0400, Elliot Lee wrote:
> > Virtually any program using the GNOME libraries is vulnerable to a
> > buffer overflow attack. The attack comes in the form:
> > /path/to/gnome/prog --enable-sound --espeaker=$80bytebuffer
> (b) I tried specifying a very long argument to --espeaker, and achieved
> no success in making anything segfault etc. (esound 0.2.14).
On my box:
[azz@cartman ~]$ panel --version
Gnome panel 1.0.6
[azz@cartman ~]$ panel --enable-sound --espeaker=11111111111111111111111111\
111111111111111111111111111111111111111111111111111111111111111111111
Can't resolve host name
"1111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111"!
Segmentation fault
I'm using esound 0.2.8. This is probably more a libesd issue than a GNOME
issue...
But X programs, as said before, should under no conditions be suid. In fact,
nothing longer than 100 lines would be suid if I had anything to do with it.
:)
--
Adam Sampson
azz@gnu.org
