[23531] in bugtraq
Re: xmms/xchat full access shared memory segments (and Mozilla)
daemon@ATHENA.MIT.EDU (Ian Freislich)
Mon Dec 17 15:32:08 2001
To: julien vanegue <julien.vanegue@epitech.net>
Cc: bugtraq@securityfocus.com
In-reply-to: Your message of "Sun, 16 Dec 2001 08:02:37 +0100."
<200112160702.fBG72cU04105@hermes.epita.fr>
Date: Sun, 16 Dec 2001 09:40:51 +0200
From: Ian Freislich <iang@digs.iafrica.com>
Message-Id: <E16FVul-00053G-00@brane.digs.iafrica.com>
julien vanegue wrote:
> The problem seems to affect a lot of program , because they do not
> fill the last parameter of the syscall correcly, but it is rarely
> exploitable .
>
> int shmget(key_t key, size_t size, int shmflg);
Well, the culprit is gtk:
(gtk+-1.2.10/gdk/gdkimage.c line 214)
x_shm_info->shmid = shmget (IPC_PRIVATE,
private->ximage->bytes_per_line * private->ximage->height,
IPC_CREAT | 0777);
where the mode is explicitly set. Don't know what this will break
if it gets set to 0600.
[brane] /usr/ports/x11-toolkits/gtk12 # ipcs -p -m
Shared Memory:
T ID KEY MODE OWNER GROUP CPID LPID
m 65536 5432001 --rw------- pgsql pgsql 271 271
m 1441793 0 --rw------- iang guest 19400 324
[brane] /usr/ports/x11-toolkits/gtk12 # ps -p 19400
PID TT STAT TIME COMMAND
19400 p4 S+ 0:06.11 xmms
The little that I have linking against gtk seems to work.
Ian
--
Ian Freislich
