Linux Today: Linux News On Internet Time.

More on LinuxToday

Linux /usr/bin/gnuplot overflow

Mar 05, 1999, 00:59 (1 Talkback[s])

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >




There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer overflow, but much like zgv holes in the past, it drops root privs before the overflow occurs. However, as Nergal describes at, svgalib needs write access to /dev/mem, and we can therefore regain root privs by overwriting our uid.

the offending code appears in plot.c where we see:

char home[80];
char *tmp_home=getenv(HOME);

Exploit and patch removed. A sure-fire way to correct this is to remove the setuid bit on the file (chmod 0755 /usr/bin/gnuplot). -lt ed