Re: Linux GNOME exploit

From: Elliot Lee (sopwithat_private)
Date: Mon Sep 27 1999 - 11:25:02 PDT

Next message: Fülöp Mikló: "Re: IE 5.0 security vulnerability - reading local (and from any"

Previous message: Alan Cox: "Re: Linux GNOME exploit"
Maybe in reply to: Brock Tellier: "Linux GNOME exploit"
Next in thread: Thomas Biege: "Re: Linux GNOME exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Virtually any program using the GNOME libraries is vulnerable to a
> buffer overflow attack.  The attack comes in the form:
>
> /path/to/gnome/prog --enable-sound --espeaker=$80bytebuffer
>
> The following exploit should work against any GNOME program, though I
> tried it on (the irony) /usr/games/nethack, which is SGID root by
> default on RH6.0.  An attack on any program will look something like
> this:

(a) Red Hat Linux does not come with nethack.
(b) I tried specifying a very long argument to --espeaker, and achieved
    no success in making anything segfault etc. (esound 0.2.14).
(c) GNOME is not designed to be used in setuid root programs. There is
    too much complexity involved to achieve any assurance of security
    in any GUI program - untrusted input can be supplied by the X server,
    environment variables, other file descriptors, and command line args,
    and processed in difficult-to-audit ways.

    Developers of ALL GUI programs (not just GNOME ones) should
    use small helper programs to access higher privilege levels.

Here are the programs in RH Rawhide gnome-* packages that attain
additional privileges when run:

-r-xr-s--x     root    games        67596 Sep 21 15:38 /usr/bin/gnibbles
-r-xr-s--x     root    games        75900 Sep 21 15:38 /usr/bin/gnobots2
-r-xr-s--x     root    games        52592 Sep 21 15:38 /usr/bin/gnome-stones
-r-xr-s--x     root    games        71424 Sep 21 15:38 /usr/bin/gnomine
-r-xr-s--x     root    games        26036 Sep 21 15:38 /usr/bin/gnotravex
-r-xr-s--x     root    games       234200 Sep 21 15:38 /usr/bin/gtali
-r-xr-s--x     root    games        24156 Sep 21 15:38 /usr/bin/gturing
-r-xr-s--x     root    games        48444 Sep 21 15:38 /usr/bin/iagno
-r-xr-s--x     root    games        38788 Sep 21 15:38 /usr/bin/mahjongg
-r-xr-s--x     root    games        21268 Sep 21 15:38 /usr/bin/same-gnome
-rwxr-sr-x     root     utmp         8600 Sep 23 15:41 /usr/sbin/gnome-pty-helper

The gnome games fork a scores helper, then drop this privilege right away.
The helper section has been written with security in mind.

gnome-pty-helper has been audited.

I conclude that any security problems are caused by incorrect installation
of third-party software.
-- Elliot					http://developer.gnome.org/
The first thing a programmer needs to admit is that any program is by far
more complex than his own mind. Thats why he partitions it into neat
pieces and avoids complexity.

Next message: Fülöp Mikló: "Re: IE 5.0 security vulnerability - reading local (and from any"
Previous message: Alan Cox: "Re: Linux GNOME exploit"
Maybe in reply to: Brock Tellier: "Linux GNOME exploit"
Next in thread: Thomas Biege: "Re: Linux GNOME exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:32 PDT