|
Bugtraq
mailing list archives
Re: Linux /usr/bin/gnuplot overflow
From: lhecking () NMRC UCC IE (Lars Hecking)
Date: Fri, 5 Mar 1999 12:27:28 +0000
xnec () inferno tusculum edu writes:
greetings,
INFO:
There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5
(pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on
SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer
overflow, but much like zgv holes in the past, it drops root privs before the
overflow occurs. However, as Nergal describes at
http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access
to /dev/mem, and we can therefore regain root privs by overwriting our uid.
the offending code appears in plot.c where we see:
char home[80];
...
char *tmp_home=getenv(HOME);
...
strcpy(home,tmp_home);
This particular piece of code has been changed before the release of
gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend
that all vendors shipping obsolete beta versions of gnuplot upgrade.
Since I can see absolutely no reason for gnuplot to be suidroot, the best
fix is chmod -s /usr/bin/gnuplot.
It is my understanding that gnuplot requires root privileges so that
SVGAlib can access the gfx board. Other than that, there is no reason
for making it suid, and I'd rather prefer a better solution.
void main(int argc, char *argv[]) {
^^^^
Yeuch!
--
As Zeus said to Narcissus, "Watch yourself."
 By Date 
By Thread
Current thread:
| 
Intro
