[8156] in bugtraq
Re: Overflow in zgv-4.1?
daemon@ATHENA.MIT.EDU (Paul Boehm)
Fri Oct 9 14:56:21 1998
Date: Fri, 9 Oct 1998 14:58:50 +0200
Reply-To: Paul Boehm <pb@INSECURITY.NET>
From: Paul Boehm <pb@INSECURITY.NET>
X-To: onix <onix@AUTOBAHN.MB.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.981007235716.11535A-100000@onix>; from onix on
Thu, Oct 08, 1998 at 12:08:13AM -0500
On Thu, Oct 08, 1998 at 12:08:13AM -0500, onix wrote:
> Possible security risk in setuid zgv 4.1 which may lead to local root
> comprimise. zgv is installed setuid root by default.
--snip--
i found this overrun some months ago and even tried to exploit it...
all i got was a shell with MY uid... then i posted it to the security
auditing mailinglist and Alan Cox pointed out that vga_init() drops
root privileges.. all you can gain from this overrun is video display access.
for the whole thread check out the secau mailinglist archives at
http://science.nas.nasa.gov/Pubs/Mail/archive/linux-security-audit/
or http://www2.merton.ox.ac.uk/~security/
bye,
paul
PS: you can also overflow zgv using an overlong HOME enviroment variable.
--
.----------------------------------------------------------------------.
| mail: pb@insecurity.net :: url: http://paul.boehm.org |
| irc: infected :: pgp: finger pb@insecurity.net | pgp -fka |
\.....Linux is like a wigwam - no windows, no gates, apache inside..../
