Bugtraq mailing list archives
Re: Linux /usr/bin/gnuplot overflow
From: lhecking () NMRC UCC IE (Lars Hecking)
Date: Fri, 5 Mar 1999 12:27:28 +0000
xnec () inferno tusculum edu writes:
greetings, INFO: There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer overflow, but much like zgv holes in the past, it drops root privs before the overflow occurs. However, as Nergal describes at http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access to /dev/mem, and we can therefore regain root privs by overwriting our uid. the offending code appears in plot.c where we see: char home[80]; ... char *tmp_home=getenv(HOME); ... strcpy(home,tmp_home);
This particular piece of code has been changed before the release of gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend that all vendors shipping obsolete beta versions of gnuplot upgrade.
Since I can see absolutely no reason for gnuplot to be suidroot, the best fix is chmod -s /usr/bin/gnuplot.
It is my understanding that gnuplot requires root privileges so that SVGAlib can access the gfx board. Other than that, there is no reason for making it suid, and I'd rather prefer a better solution.
void main(int argc, char *argv[]) {
^^^^ Yeuch! -- As Zeus said to Narcissus, "Watch yourself."
Current thread:
- Remote OS Deception? Robert Wick (Mar 03)
- Security Conference Announcement: the Black Hat Briefings '99 Dominique Brezinski (Mar 03)
- Oracle Plaintext Password James Kivisild (Mar 04)
- Linux /usr/bin/gnuplot overflow xnec () INFERNO TUSCULUM EDU (Mar 04)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)