[9730] in bugtraq
Re: Security hole: "zgv"
daemon@ATHENA.MIT.EDU (Alistair Cunningham)
Mon Feb 22 13:58:20 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG, zoid@idsoftware.com
Date: Sat, 20 Feb 1999 23:00:05 +0000
Reply-To: Alistair Cunningham <ac212@CAM.AC.UK>
From: Alistair Cunningham <ac212@CAM.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990219175605.9622A-100000@ferret.lmh.ox.ac.uk>;
from Chris Evans on Fri, Feb 19, 1999 at 06:10:00PM +0000
On Fri, Feb 19, 1999 at 06:10:00PM +0000, Chris Evans wrote:
[ snip zgv security discussion ]
>
> This latter hole was interesting. It demonstrated that while an SVGAlib
> application drops root privileges after initializing, it is still
> vulnerable to buffer overflows because the program holds a vital resource;
> a writeable file descriptor to /dev/mem. This applies to all SVGAlib
> programs.
>
I've just tested, and this applies to quake 2. This is particularly bad,
as quake 2 supports user written .so files. Quake 2 drops root privileges
before loading them, but now it would appear that they can get root back.
Alistair Cunningham (who's just chmodded -s quake2)
--
--------------------------------------------------------------------------
Alistair Cunningham Selwyn College, Cambridge Email: ac212@cam.ac.uk
