Re: Linux /usr/bin/gnuplot overflow

[lhecking () NMRC UCC IE (Lars Hecking)]

xnec () inferno tusculum edu writes:
> greetings,
>
> INFO:
>
> There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5
> (pre 3.6) patchlevel beta 336.  gnuplot is shipped to install suidroot on
> SuSE 5.2 and maybe others.  The exploit starts as a simple $HOME buffer
> overflow, but much like zgv holes in the past, it drops root privs before the
> overflow occurs.  However, as Nergal describes at
> http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access
> to /dev/mem, and we can therefore regain root privs by overwriting our uid.
>
> the offending code appears in plot.c where we see:
>
>     char home[80];
> ...
>     char *tmp_home=getenv(HOME);
> ...
>     strcpy(home,tmp_home);

 This particular piece of code has been changed before the release of
 gnuplot release 3.7 to use a "safe" version of strncpy(). We recommend
 that all vendors shipping obsolete beta versions of gnuplot upgrade.

> Since I can see absolutely no reason for gnuplot to be suidroot, the best
> fix is chmod -s /usr/bin/gnuplot.

 It is my understanding that gnuplot requires root privileges so that
 SVGAlib can access the gfx board. Other than that, there is no reason
 for making it suid, and I'd rather prefer a better solution.

> void main(int argc, char *argv[]) {
  ^^^^

 Yeuch!

--
As Zeus said to Narcissus, "Watch yourself."