Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Linux /usr/bin/gnuplot overflow

Mar 05, 1999, 00:59 (1 Talkback[s])

xnec@INFERNO.TUSCULUM.EDU posted to BUGTRAQ:

greetings,

INFO:

There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer overflow, but much like zgv holes in the past, it drops root privs before the overflow occurs. However, as Nergal describes at http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access to /dev/mem, and we can therefore regain root privs by overwriting our uid.

the offending code appears in plot.c where we see:

char home[80];
...
char *tmp_home=getenv(HOME);
...
strcpy(home,tmp_home);

Exploit and patch removed. A sure-fire way to correct this is to remove the setuid bit on the file (chmod 0755 /usr/bin/gnuplot). -lt ed