[4765] in bugtraq
Re: svgalib/zgv
daemon@ATHENA.MIT.EDU (Dave G.)
Sun Jun 22 01:26:35 1997
Date: Sat, 21 Jun 1997 16:21:26 -0700
Reply-To: "Dave G." <dhg@DEC.NET>
From: "Dave G." <dhg@DEC.NET>
X-To: devel@meat.plaguez.org
To: BUGTRAQ@NETSPACE.ORG
>
> zgv/svgalib "vulnerability" ?
>
> hello,
>
> i dont really see where the problem with zgv/svgalib is.
>
> There is obviously a buffer overflow with the $HOME
> environment variable, but all my attemps to exploit
> this failed: svgalib had well dropped root perms
> (see below). Any idea ?
> (i'm using Redhat 3.0.3, 4.0.0, svgalib 1.2.9)
>
> >From vga_init():
> ...
> seteuid(getuid());
> setgid(getegid());
> ...
>
The problem with changing the effective user id is that on systems with
saved user ids, one can change the effective user id back to the saved
user id.
The test code at the bottom of this message illustrates this.
> Sample try:
>
> [devel@plaguez]$ uname -a
> Linux plaguez 2.0.30 #7 Sat Jun 21 09:35:21 MET 1997 i486
> [devel@plaguez]$ ls -al /usr/bin/zgv
> -r-s--x--x 1 root root 87780 Feb 26 1996 /usr/bin/zgv
> [devel@plaguez]$ ./overflow HOME 1124 0 /usr/bin/zgv
> bash$
>
In your shellcode, try adding a setreuid(-1, 0) before you exec the shell.
--- begin test code --
/*
* compile this, make it setuid root and run it as an ordinary user.
*
* Dave G.
* <dhg@dec.net>
*/
#include <stdio.h>
#include <unistd.h>
void main()
{
fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid());
seteuid(getuid());
fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid());
seteuid(0);
fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid());
}
--- ---
David Goldsmith dhg@dec.net
DEC Consulting http://www.dec.net
Software Development/Internet Security
KSR[T]
