Bugtraq mailing list archives
Re: gtk+ security hole.
From: Rob Mosher <rmosher () LIGHTNING NET>
Date: Tue, 2 Jan 2001 16:13:58 -0500
A simple fix to this would be to drop priveleges before calling gtk_init(), another easy fix is to modify gtk itself, to do this you need to make the following modification of gtkmain.c. In gtk-1.2.8 its at approximately line 215, you have: env_string = getenv ("GTK_MODULES"); add the following line above it: if(geteuid() != getuid()) This will prevent gtk from loading modules if the program calling gtk_init has a different euid than the uid. Chris Sharp wrote:
while going through a quick audit of gtk i found: gtk+ can be tricked into running arbitrary code via a bogus module. this means any program using gtk that is set*id can be exploited via this method. here is an exploit i wrote for this security hole: original xgtk.c(working/un-wrapped): http://realhalo.org/xgtk.c
[snip] -- Rob Mosher Lead Programmer / Systems Engineer Lightning Internet Services, LLC
Current thread:
- gtk+ security hole. Chris Sharp (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Kain (Jan 03)
- Re: gtk+ security hole. Robert van der Meulen (Jan 03)
- Re: gtk+ security hole. Wichert Akkerman (Jan 04)
- Re: gtk+ security hole. Rob Mosher (Jan 03)
- Re: gtk+ security hole. Rob Mosher (Jan 02)
- <Possible follow-ups>
- Re: gtk+ security hole. Bryan Porter (Jan 04)
- Re: gtk+ security hole. Crist Clark (Jan 05)
- Re: gtk+ security hole. Joe (Jan 05)
- Re: gtk+ security hole. Crispin Cowan (Jan 05)
- Re: gtk+ security hole. Bryan Porter (Jan 05)