[18402] in bugtraq
Re: gtk+ security hole.
daemon@ATHENA.MIT.EDU (Rob Mosher)
Tue Jan 2 19:09:04 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Message-Id: <3A524496.5090703@lightning.net>
Date: Tue, 2 Jan 2001 16:13:58 -0500
Reply-To: Rob Mosher <rmosher@LIGHTNING.NET>
From: Rob Mosher <rmosher@LIGHTNING.NET>
X-To: v9@FAKEHALO.ORG
To: BUGTRAQ@SECURITYFOCUS.COM
A simple fix to this would be to drop priveleges before calling
gtk_init(), another easy fix is to modify gtk itself, to do this you
need to make the following modification of gtkmain.c. In gtk-1.2.8 its
at approximately line 215, you have:
env_string = getenv ("GTK_MODULES");
add the following line above it:
if(geteuid() != getuid())
This will prevent gtk from loading modules if the program calling
gtk_init has a different euid than the uid.
Chris Sharp wrote:
> while going through a quick audit of gtk i found:
>
> gtk+ can be tricked into running arbitrary code
> via a bogus module. this means any program using
> gtk that is set*id can be exploited via this
> method. here is an exploit i wrote for this
> security hole:
>
>
> original xgtk.c(working/un-wrapped):
> http://realhalo.org/xgtk.c
[snip]
--
Rob Mosher
Lead Programmer / Systems Engineer
Lightning Internet Services, LLC
