---

Linux /usr/bin/gnuplot overflow

[email protected] posted to BUGTRAQ:

greetings,

INFO:

There is a local root comprimise in /usr/bin/gnuplot version
Linux version 3.5 (pre 3.6) patchlevel beta 336. gnuplot is shipped
to install suidroot on SuSE 5.2 and maybe others. The exploit
starts as a simple $HOME buffer overflow, but much like zgv holes
in the past, it drops root privs before the overflow occurs.
However, as Nergal describes at http://www.geek-girl.com/bugtraq/1998_4/0148.html,
svgalib needs write access to /dev/mem, and we can therefore regain
root privs by overwriting our uid.

the offending code appears in plot.c where we see:

char home[80];

char *tmp_home=getenv(HOME);

strcpy(home,tmp_home);

Exploit and patch removed. A sure-fire way to correct this
is to remove the setuid bit on the file (chmod 0755
/usr/bin/gnuplot). -lt ed