[9762] in bugtraq
Re: Security hole: "zgv"
daemon@ATHENA.MIT.EDU (Vincent Janelle)
Tue Feb 23 18:01:44 1999
Date: Mon, 22 Feb 1999 13:13:01 -0800
Reply-To: Vincent Janelle <malokai@GILDEA.NET>
From: Vincent Janelle <malokai@GILDEA.NET>
X-To: Alistair Cunningham <ac212@CAM.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990220230005.A823@ursa.sel.cam.ac.uk>
Quake2 does not support user written shared objects. It only reads out of
the dir in /etc/quake2.conf.
As for multiplayer games, quake2 modifications are server-side, ergo, the
server admin should be worried about security(AND NOT running quake2
-dedicated as root).
If you let users write to the dir that suid apps read from, you're asking
for more trouble than anything else.
------------
January 1998 -- Cure for cancer found when researchers seach on
AltaVista for "+cure.for.cancer."
--http://random.gimp.org --mailto:random@gimp.org --UIN 23939474
--Try "talk random@random.themes.org" sometime =)
On Sat, 20 Feb 1999, Alistair Cunningham wrote:
> On Fri, Feb 19, 1999 at 06:10:00PM +0000, Chris Evans wrote:
>
> [ snip zgv security discussion ]
>
> >
> > This latter hole was interesting. It demonstrated that while an SVGAlib
> > application drops root privileges after initializing, it is still
> > vulnerable to buffer overflows because the program holds a vital resource;
> > a writeable file descriptor to /dev/mem. This applies to all SVGAlib
> > programs.
> >
>
> I've just tested, and this applies to quake 2. This is particularly bad,
> as quake 2 supports user written .so files. Quake 2 drops root privileges
> before loading them, but now it would appear that they can get root back.
>
>
> Alistair Cunningham (who's just chmodded -s quake2)
>
> --
> --------------------------------------------------------------------------
> Alistair Cunningham Selwyn College, Cambridge Email: ac212@cam.ac.uk
>
