[9817] in bugtraq
Re: Linux /usr/bin/gnuplot overflow
daemon@ATHENA.MIT.EDU (Lars Hecking)
Fri Mar 5 12:00:23 1999
Mail-Followup-To: xnec@inferno.tusculum.edu, BUGTRAQ@netspace.org,
info-gnuplot-beta@Dartmouth.EDU
Date: Fri, 5 Mar 1999 12:27:28 +0000
Reply-To: Lars Hecking <lhecking@NMRC.UCC.IE>
From: Lars Hecking <lhecking@NMRC.UCC.IE>
X-To: xnec@inferno.tusculum.edu
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990304215518.483.qmail@inferno.tusculum.edu>; from
xnec@inferno.tusculum.edu on Thu, Mar 04, 1999 at 09:55:18PM -0000
xnec@inferno.tusculum.edu writes:
> greetings,
>
> INFO:
>
> There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5
> (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on
> SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer
> overflow, but much like zgv holes in the past, it drops root privs before the
> overflow occurs. However, as Nergal describes at
> http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access
> to /dev/mem, and we can therefore regain root privs by overwriting our uid.
>
> the offending code appears in plot.c where we see:
>
> char home[80];
> ...
> char *tmp_home=getenv(HOME);
> ...
> strcpy(home,tmp_home);
This particular piece of code has been changed before the release of
gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend
that all vendors shipping obsolete beta versions of gnuplot upgrade.
> Since I can see absolutely no reason for gnuplot to be suidroot, the best
> fix is chmod -s /usr/bin/gnuplot.
It is my understanding that gnuplot requires root privileges so that
SVGAlib can access the gfx board. Other than that, there is no reason
for making it suid, and I'd rather prefer a better solution.
> void main(int argc, char *argv[]) {
^^^^
Yeuch!
--
As Zeus said to Narcissus, "Watch yourself."
