Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Overflow in zgv-4.1?

Re: Overflow in zgv-4.1?

Paul Boehm (pbINSECURITY.NET)
Fri, 9 Oct 1998 14:58:50 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Aleph One: "The Cuartango Security Hole in IE4"
Previous message: Alexis POLOZOV: "DU 4.0D cdfs bug : xcd eject CDROM, even mounted."
In reply to: onix: "Overflow in zgv-4.1?"

On Thu, Oct 08, 1998 at 12:08:13AM -0500, onix wrote:
> Possible security risk in setuid zgv 4.1 which may lead to local root
> comprimise.  zgv is installed setuid root by default.
--snip--

i found this overrun some months ago and even tried to exploit it...
all i got was a shell with MY uid... then i posted it to the security
auditing mailinglist and Alan Cox pointed out that vga_init() drops
root privileges.. all you can gain from this overrun is video display access.

for the whole thread check out the secau mailinglist archives at
   http://science.nas.nasa.gov/Pubs/Mail/archive/linux-security-audit/
or http://www2.merton.ox.ac.uk/~security/

bye,
    paul

PS: you can also overflow zgv using an overlong HOME enviroment variable.

--
.----------------------------------------------------------------------.
| mail: pbinsecurity.net   :: url: http://paul.boehm.org               |
| irc:  infected            :: pgp: finger pbinsecurity.net | pgp -fka |
 \.....Linux is like a wigwam - no windows, no gates, apache inside..../

Next message: Aleph One: "The Cuartango Security Hole in IE4"
Previous message: Alexis POLOZOV: "DU 4.0D cdfs bug : xcd eject CDROM, even mounted."
In reply to: onix: "Overflow in zgv-4.1?"