Re: xmms/xchat full access shared memory segments (and Mozilla)

From: Ian Freislich (iangat_private)
Date: Sat Dec 15 2001 - 23:40:51 PST

Next message: Mookie: "Re: Sun Solaris login bug patches out"

Previous message: http-equivat_private: "Re: MSIE may download and run progams automatically - NOT SO FAST"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

julien vanegue wrote:
> The problem seems to affect a lot of program , because they do not
> fill the last parameter of the syscall correcly, but it is rarely 
> exploitable .
> 
> int shmget(key_t key, size_t size, int shmflg);

Well, the culprit is gtk:

(gtk+-1.2.10/gdk/gdkimage.c line 214)
x_shm_info->shmid = shmget (IPC_PRIVATE,
    private->ximage->bytes_per_line * private->ximage->height,
    IPC_CREAT | 0777);

where the mode is explicitly set.  Don't know what this will break
if it gets set to 0600.

[brane] /usr/ports/x11-toolkits/gtk12 # ipcs -p -m
Shared Memory:
T     ID     KEY        MODE       OWNER    GROUP  CPID  LPID
m  65536    5432001 --rw-------    pgsql    pgsql    271    271
m 1441793         0 --rw-------     iang    guest  19400    324

[brane] /usr/ports/x11-toolkits/gtk12 # ps -p 19400
  PID  TT  STAT      TIME COMMAND
19400  p4  S+     0:06.11 xmms


The little that I have linking against gtk seems to work.

Ian

--
Ian Freislich

Next message: Mookie: "Re: Sun Solaris login bug patches out"
Previous message: http-equivat_private: "Re: MSIE may download and run progams automatically - NOT SO FAST"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 12:31:49 PST