Linux /usr/bin/gnuplot overflowMar 05, 1999, 00:59 (1 Talkback[s])
xnec@INFERNO.TUSCULUM.EDU posted to BUGTRAQ:
There is a local root comprimise in /usr/bin/gnuplot version Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped to install suidroot on SuSE 5.2 and maybe others. The exploit starts as a simple $HOME buffer overflow, but much like zgv holes in the past, it drops root privs before the overflow occurs. However, as Nergal describes at http://www.geek-girl.com/bugtraq/1998_4/0148.html, svgalib needs write access to /dev/mem, and we can therefore regain root privs by overwriting our uid.
the offending code appears in plot.c where we see:
Exploit and patch removed. A sure-fire way to correct this is to remove the setuid bit on the file (chmod 0755 /usr/bin/gnuplot). -lt ed
0 Talkback[s] (click to add your comment)