Home page logo

bugtraq logo Bugtraq mailing list archives

From: egmont () FAZEKAS HU (egmont () FAZEKAS HU)
Date: Wed, 22 Mar 2000 18:21:43 -0000


I've sent report about the following security hole to the
authors of gpm, but they seemed to ignore the problem. The
problem applies to every gpm version known by me, for
example 1.18.1 and 1.19.0.

To exploit this problem, gpm-root must be running on a
machine and the user needs both login to that machine and
physical access to the keyboard and mouse.

gpm-root is a beautiful tool shipped in the gpm package. It
pops up beautiful menus based on each user's own config file
when Ctrl+Mousebutton is pressed on the console.

When the user selects one of his/her favourite utility from
his/her own list, gpm-root starts this process with the
group and supplementary groups of the gpm-root daemon.

gpm-root calls setuid() first and setgid() afterwards, hence
the later one is unsuccessful. The authors completely forgot
about calling initgroups().

Egmont Koblinger

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]