Bugtraq mailing list archives

Re: xmms/xchat full access shared memory segments (and Mozilla)

From: Ian Freislich <iang () digs iafrica com>
Date: Sun, 16 Dec 2001 09:40:51 +0200

julien vanegue wrote:

The problem seems to affect a lot of program , because they do not
fill the last parameter of the syscall correcly, but it is rarely 
exploitable .

int shmget(key_t key, size_t size, int shmflg);


Well, the culprit is gtk:

(gtk+-1.2.10/gdk/gdkimage.c line 214)
x_shm_info->shmid = shmget (IPC_PRIVATE,
    private->ximage->bytes_per_line * private->ximage->height,
    IPC_CREAT | 0777);

where the mode is explicitly set.  Don't know what this will break
if it gets set to 0600.

[brane] /usr/ports/x11-toolkits/gtk12 # ipcs -p -m
Shared Memory:
T     ID     KEY        MODE       OWNER    GROUP  CPID  LPID
m  65536    5432001 --rw-------    pgsql    pgsql    271    271
m 1441793         0 --rw-------     iang    guest  19400    324

[brane] /usr/ports/x11-toolkits/gtk12 # ps -p 19400
  PID  TT  STAT      TIME COMMAND
19400  p4  S+     0:06.11 xmms


The little that I have linking against gtk seems to work.

Ian

--
Ian Freislich

Current thread:

Re: xmms/xchat full access shared memory segments (and Mozilla) Ian Freislich (Dec 17)
- <Possible follow-ups>
- Re: xmms/xchat full access shared memory segments (and Mozilla) Ian Freislich (Dec 17)