4932220 2000-03-23 00:49 /37 rader/ Postmaster
Mottagare: Bugtraq (import) <10347>
Ärende: gpm-root
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Message-ID: <20000322182143.4498.qmail@securityfocus.com>
Date: Wed, 22 Mar 2000 18:21:43 -0000
Reply-To: egmont@FAZEKAS.HU
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: egmont@FAZEKAS.HU
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hi!
I've sent report about the following security hole to the
authors of gpm, but they seemed to ignore the problem. The
problem applies to every gpm version known by me, for
example 1.18.1 and 1.19.0.
To exploit this problem, gpm-root must be running on a
machine and the user needs both login to that machine and
physical access to the keyboard and mouse.
gpm-root is a beautiful tool shipped in the gpm package. It
pops up beautiful menus based on each user's own config file
when Ctrl+Mousebutton is pressed on the console.
When the user selects one of his/her favourite utility from
his/her own list, gpm-root starts this process with the
group and supplementary groups of the gpm-root daemon.
gpm-root calls setuid() first and setgid() afterwards, hence
the later one is unsuccessful. The authors completely forgot
about calling initgroups().
bye
Egmont Koblinger
(4932220) ------------------------------------------
4936206 2000-03-24 09:04 /42 rader/ Postmaster
Mottagare: Bugtraq (import) <10357>
Ärende: Re: gpm-root
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000323214054.A11053@morgana.systemy.it>
Date: Thu, 23 Mar 2000 21:40:54 +0100
Reply-To: Alessandro Rubini <rubini@LINUX.IT>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Alessandro Rubini <rubini@LINUX.IT>
Organization: Free Lance in Pavia, Italy.
X-To: egmont@FAZEKAS.HU
X-cc: BUGTRAQ@SECURITYFOCUS.COM, gpm@prosa.it
To: BUGTRAQ@SECURITYFOCUS.COM
Hello Egmont.
> I've sent report about the following security hole to the
> authors of gpm, but they seemed to ignore the problem.
That's me, mainly. Unfortunately, I don't have any track of your
message about gpm-root.
> gpm-root is a beautiful tool shipped in the gpm package.
Not really that beautiful. It was just meant to be a demo, in the hope
someone will develop a real root-window tool. Anyways, it's
distributed, so I care(d) about its bugs.
> gpm-root calls setuid() first and setgid() afterwards, hence
> the later one is unsuccessful. The authors completely forgot
> about calling initgroups().
Thanks for your report, I'll fix it for 1.19.1, which I plan to
release in a few days. Since gpm is officially unmaintained,
gpm-1.19.1 will be the last one, hopefully, but I already had
it on schedule.
I want to thank Servio Medina for forwarding your message, as I
unsubscribed from bugtraq not long ago, due to excessive email load.
/alessandro
(4936206) ------------------------------------------
4936317 2000-03-24 09:31 /37 rader/ Postmaster
Mottagare: Bugtraq (import) <10358>
Ärende: Re: gpm-root
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Authentication-Warning: chia.umiacs.umd.edu: adam owned process doing -bs
X-Sender: adam@chia.umiacs.umd.edu
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.21.0003221831440.14564-100000@chia.umiacs.umd.edu>
Date: Wed, 22 Mar 2000 18:35:53 -0500
Reply-To: ADAM Sulmicki <adam@CFAR.UMD.EDU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: ADAM Sulmicki <adam@CFAR.UMD.EDU>
X-To: egmont@FAZEKAS.HU
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000322182143.4498.qmail@securityfocus.com>
> I've sent report about the following security hole to the
> authors of gpm, but they seemed to ignore the problem. The
> problem applies to every gpm version known by me, for
> example 1.18.1 and 1.19.0.
Well, if you would check README in 1.19.0 version, you would notice
following fragment:
=========== MAINTAINANCE
As of 1.19.0, gpm is officially unmaintained. I can't do it any more,
and nobody expressed interest in it.
So I don't think it is fair to blame someone who spent a great deal of
their time doing gpm and has just quit it. Instead of blaming them
how about making up a patch and telling everybody "here's a patch
which fixes this problem".
FWIW,
Adam
(4936317) ------------------------------------------
4936384 2000-03-24 09:45 /115 rader/ Postmaster
Mottagare: Bugtraq (import) <10361>
Ärende: Re: gpm-root
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0003231428110.13143-100000@csibe.fazekas.hu>
Date: Thu, 23 Mar 2000 14:45:15 +0100
Reply-To: Koblinger Egmont <egmont@FAZEKAS.HU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Koblinger Egmont <egmont@FAZEKAS.HU>
X-To: ADAM Sulmicki <adam@cfar.umd.edu>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.21.0003221831440.14564-100000@chia.umiacs.umd.edu>
I sent them the bug report and the patch several times even before
the 1.18.x releases. Okay, I didn't read the README of 1.19, I just
thought it was time to tell the world not to install gpm-root,
because the authors simply ignored this security problem. Okay,
you're right, I send the patch at the end of this message.
bye
Egmont
> Well, if you would check README in 1.19.0 version, you would notice
> following fragment:
>
> =========== MAINTAINANCE
> As of 1.19.0, gpm is officially unmaintained. I can't do it any more,
> and nobody expressed interest in it.
>
> So I don't think it is fair to blame someone who spent a great deal of
> their time doing gpm and has just quit it. Instead of blaming them
> how about making up a patch and telling everybody "here's a patch
> which fixes this problem".
diff -u -r -N ../gpm-1.19.0.orig/doc/doc.gpm ./doc/doc.gpm
--- ../gpm-1.19.0.orig/doc/doc.gpm Mon Feb 7 23:34:00 2000
+++ ./doc/doc.gpm Thu Mar 23 14:37:43 2000
@@ -1969,6 +1969,12 @@
be broken by this daemon. Things should be sufficiently secure, but
if you find a hole please tell me about it.
+@item -r
+ Always run commands as root instead of the user who owns the tty.
+ Implies -u. This is useful for those system administrators who
+ put menu entries to reboot or halt the system, start or stop
+ xdm, change keyboard layout etc.
+
@item -D
Do not automatically enter background operation when started,
and log messages to the standard error stream, not the syslog
diff -u -r -N ../gpm-1.19.0.orig/gpm-root.y ./gpm-root.y
--- ../gpm-1.19.0.orig/gpm-root.y Thu Oct 7 20:15:18 1999
+++ ./gpm-root.y Thu Mar 23 14:37:43 2000
@@ -41,6 +41,7 @@
#include <sys/syslog.h>
#include <signal.h> /* sigaction() */
#include <pwd.h> /* pwd entries */
+#include <grp.h> /* initgroups() */
#include <sys/kd.h> /* KDGETMODE */
#include <sys/stat.h> /* fstat() */
#include <sys/utsname.h> /* uname() */
@@ -117,6 +118,7 @@
int opt_mod = 4; /* control */
int opt_buf = 0; /* ask the kernel about it */
int opt_user = 1; /* allow user cfg files */
+int opt_root = 0; /* run everything as root */
@@ -447,6 +449,7 @@
void f__fix(struct passwd *pass)
{
setgid(pass->pw_gid);
+ initgroups(pass->pw_name, pass->pw_gid);
setuid(pass->pw_uid);
setenv("HOME", pass->pw_dir, 1);
setenv("LOGNAME", pass->pw_name,1);
@@ -539,7 +542,7 @@
return 1;
case 0:
- setuid(uid);
+ if (opt_root) uid=0;
pass=getpwuid(uid);
if (!pass) exit(1);
f__fix(pass);
@@ -926,6 +929,7 @@
printf(" Valid options are\n"
" -m <number-or-name> modifier to use\n"
" -u inhibit user configuration files\n"
+ " -r run commands as root\n"
" -D don't auto-background and run as daemon\n"
" -V <verbosity-delta> increase amount of logged messages\n"
);
@@ -971,12 +975,13 @@
int opt;
gpm_log_daemon = 1;
- while ((opt = getopt(argc, argv,"m:uDV::")) != -1)
+ while ((opt = getopt(argc, argv,"m:urDV::")) != -1)
{
switch (opt)
{
case 'm': opt_mod=getmask(optarg, tableMod); break;
case 'u': opt_user=0; break;
+ case 'r': opt_root=1; opt_user=0; break;
case 'D': gpm_log_daemon = 0; break;
case 'V':
gpm_debug_level += (0 == optarg ? 1 : strtol(optarg, 0,
0));
(4936384) ------------------------------------------(Ombruten)