Re: Security hole: "zgv"

From: Alistair Cunningham (ac212at_private)
Date: Sat Feb 20 1999 - 15:00:05 PST

Next message: Alex Belits: "Re: Pro/wuFTPD DoS"

Previous message: Wichert Akkerman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Maybe in reply to: Chris Evans: "Security hole: "zgv""
Next in thread: Vincent Janelle: "Re: Security hole: "zgv""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 19, 1999 at 06:10:00PM +0000, Chris Evans wrote:

[ snip zgv security discussion ]

>
> This latter hole was interesting. It demonstrated that while an SVGAlib
> application drops root privileges after initializing, it is still
> vulnerable to buffer overflows because the program holds a vital resource;
> a writeable file descriptor to /dev/mem. This applies to all SVGAlib
> programs.
>

I've just tested, and this applies to quake 2. This is particularly bad,
as quake 2 supports user written .so files. Quake 2 drops root privileges
before loading them, but now it would appear that they can get root back.


Alistair Cunningham (who's just chmodded -s quake2)

--
--------------------------------------------------------------------------
 Alistair Cunningham   Selwyn College, Cambridge   Email: ac212at_private

Next message: Alex Belits: "Re: Pro/wuFTPD DoS"
Previous message: Wichert Akkerman: "Re: [HERT] Advisory #002 Buffer overflow in lsof"
Maybe in reply to: Chris Evans: "Security hole: "zgv""
Next in thread: Vincent Janelle: "Re: Security hole: "zgv""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:36:44 PDT