Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: gpm-root
From: egmontFAZEKAS.HU
Date: Wed Mar 22 2000 - 12:21:43 CST


I've sent report about the following security hole to the
authors of gpm, but they seemed to ignore the problem. The
problem applies to every gpm version known by me, for
example 1.18.1 and 1.19.0.

To exploit this problem, gpm-root must be running on a
machine and the user needs both login to that machine and
physical access to the keyboard and mouse.

gpm-root is a beautiful tool shipped in the gpm package. It
pops up beautiful menus based on each user's own config file
when Ctrl+Mousebutton is pressed on the console.

When the user selects one of his/her favourite utility from
his/her own list, gpm-root starts this process with the
group and supplementary groups of the gpm-root daemon.

gpm-root calls setuid() first and setgid() afterwards, hence
the later one is unsuccessful. The authors completely forgot
about calling initgroups().

Egmont Koblinger