[3798] in bugtraq
Re: Linux: exploit for killmouse.
daemon@ATHENA.MIT.EDU (Joe Zbiciak)
Sat Dec 14 22:05:13 1996
X-Apparently-From: "Not Your Average Joe [tm]" <im14u2c@cegt201.bradley.edu>
X-Apparently-To: You@Wherever.You.Are
Date: Sat, 14 Dec 1996 20:05:22 -0600
Reply-To: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
X-To: bo@ebony.iaehv.nl
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199612142259.XAA18875@ebony.iaehv.nl> from "Bo" at Dec 14,
96 11:59:52 pm
And then Bo went and said something like this:
|Exploit:
|This can be exploited in a few similar ways.
SUID shell scripts are bad... but even just non-suid shell scripts
called from SUID programs that don't properly massage their environment
are bad news.
Which reminds me, there's a bigger hole in Doom. It doesn't drop its
root permissions soon enough! The user is allowed to set a sound server
in his/her .doomrc. Normally, this is set to "sndserver". Howver, this
can be set to *any* program, and that program runs as root!!
Doom, as with any SVGAlib program, should call vga_init() as the first
line of main(). It doesn't, and that's bad. SVGAlib gets a lot of
bad press because of the suid-root issue, but the real problem rests
in poor coding of the client programs. I like DOOM, but it's port was
sloppily done.
--Joe
--
:======= Joe Zbiciak =======:
:- - im14u2c@bradley.edu - -:
"Ohm, ohm on the range, : - - - - - http: - - - - - :
where the amps and inductances play..." ://ee1.bradley.edu/~im14u2c/:
:======= DISCLAIMER: =======:
:--- I could be wrong, ---:
:======= but I'm not.=======:
(731:835 2:15)
