S.u.S.E. Gnomelib Buffer Overflow Vulnerability
BID:1155
Info
S.u.S.E. Gnomelib Buffer Overflow Vulnerability
| Bugtraq ID: | 1155 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 29 2000 12:00AM |
| Updated: | Apr 29 2000 12:00AM |
| Credit: | This vulnerability was posted to the Bugtraq mailing list on April 29, 2000 by bladi <[email protected]> |
| Vulnerable: |
SuSE Linux 6.4 SuSE Linux 6.3 |
| Not Vulnerable: |
Redhat Linux 6.2 sparc Redhat Linux 6.2 i386 Redhat Linux 6.2 alpha |
Discussion
S.u.S.E. Gnomelib Buffer Overflow Vulnerability
A vulnerability exists in the handling of the DISPLAY variable, in versions of Gnomelib shipped with S.u.S.E. Linux, version 6.3. By supplying a long buffer containing machine executable code in the DISPLAY environment variable, it is possible to execute arbitrary code with the permissions of the user running the binary. In the case of a setuid binary, it is possible to obtain the privileges of the user it is setuid to. This in turn may be used to elevate privileges, and in theory could result in local root compromise.
S.u.S.E. 6.3 ships with 1 setgid application, /opt/gnome/sbin/gnome-pty-helper, which is setgid tty. 6.4 ships with setgid gnome games. The version of gnomelib included with S.u.S.E. 6.4 is not vulnerable to this attack, however.
A vulnerability exists in the handling of the DISPLAY variable, in versions of Gnomelib shipped with S.u.S.E. Linux, version 6.3. By supplying a long buffer containing machine executable code in the DISPLAY environment variable, it is possible to execute arbitrary code with the permissions of the user running the binary. In the case of a setuid binary, it is possible to obtain the privileges of the user it is setuid to. This in turn may be used to elevate privileges, and in theory could result in local root compromise.
S.u.S.E. 6.3 ships with 1 setgid application, /opt/gnome/sbin/gnome-pty-helper, which is setgid tty. 6.4 ships with setgid gnome games. The version of gnomelib included with S.u.S.E. 6.4 is not vulnerable to this attack, however.
Exploit / POC
S.u.S.E. Gnomelib Buffer Overflow Vulnerability
Exploit available:
Exploit available:
Solution / Fix
S.u.S.E. Gnomelib Buffer Overflow Vulnerability
Solution:
S.u.S.E. has released an update which fixes the DISPLAY variable overflow problem.
Set permission of /opt/gnome/sbin/gnome-pty-helper more restricted: 755, root, tty
SuSE Linux 6.3
SuSE Linux 6.4
Solution:
S.u.S.E. has released an update which fixes the DISPLAY variable overflow problem.
Set permission of /opt/gnome/sbin/gnome-pty-helper more restricted: 755, root, tty
SuSE Linux 6.3
-
S.u.S.E. gnlibs.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/gnm1/gnlibs.rpm -
S.u.S.E. gnlibsd.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/gnm1/gnlibsd.rpm
SuSE Linux 6.4
-
S.u.S.E. gnlibs.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/gnm1/gnlibs.rpm -
S.u.S.E. gnlibsd.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/gnm1/gnlibsd.rpm
References
S.u.S.E. Gnomelib Buffer Overflow Vulnerability
References:
References: