Security hole in SVGATextMode 1.8 that can lead to local root compromise.
f042905677ce0d45b43647422bf37de967b6a89beee8a21ca3096faaf3f6ba85
Date: Tue, 26 Oct 1999 19:14:50 +0300
From: root@Death.GdS.RO
To: PacketStorm@Genocide2600.com
Subject: svgatextmode
hello,
I sent on bugtraq the bug with savetextmode.
I thought that it belonged to SVGATextMode, but
it is included in svgalib. So the threat is bigger...
Please update your page.
Regards,
Adrian Voinea
--------------------------------------------------------------------
Date: Thu, 21 Oct 1999 23:01:34 +0300
From: Adrian Voinea <root@DEATH.GDS.RO>
To: BUGTRAQ@netspace.org
Subject: SVGATextMode 1.8 /tmp race
Hello,
savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
mode data in /tmp, in two files with the mode 644:
[/tmp]
root@Death# ls -lA
total 1
drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
[/tmp]
root@Death# savetextmode
svgalib: Using S3 driver (Trio64, 4096K).
svgalib: s3: chipsets newer than S3-864 is not supported well yet.
svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz
[/tmp]
root@Death# ls -lA
total 35
drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
-rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata
-rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs
Also, I would like to add that savetextmode accepts no parameters.
So... any user on the system that knows that the root is using
SVGATextMode could link any of the files to a file that he wants to be
overwritten.
The e-mail is cc-ed to the maker of SVGATextMode, koen.gadeyne@barco.com.
.=-=-=-=-=-=-=-=-=.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=.
| Adrian Voinea |When I Die, I want to go like my grandfather did, |
| adi@gds.ro |peacefully in his sleep. Not yelling and screaming,|
|TEL:+40 51 412146|like all the passengers in his car! .=-=-=-=-=-=-=-'
`=-=-=-=-=-=-=-=-='=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
--------------------------------------------------------------------------
Date: Thu, 22 Oct 1998 11:16:47 -0400
From: Ben Collins <bmc@VISI.NET>
To: BUGTRAQ@netspace.org
Subject: Re: SVGATextMode 1.8 /tmp race
-----BEGIN PGP SIGNED MESSAGE-----
First off, savetextmode is NOT part of SVGATextMode, it is a script from
svgalib. I checked the savetextmode on my debian 2.0 system (svgalib
1.2.13):
[root@goodguy(11:10am)-~]%cat /usr/bin/savetextmode
#!/bin/sh
set -o noclobber
restoretextmode -w /dev/stdout > /tmp/textregs
restorefont -w /dev/stdout > /tmp/fontdata
The noclobber keeps it from overwriting any files. However, from the
origianl svgalib source the script looks like this:
[root@goodguy(11:13am)-~/svgalib-1.3.0/utils]%cat savetextmode
#!/bin/sh
restoretextmode -w /tmp/textregs
restorefont -w /tmp/fontdata
This WILL overwrite any files. So if you use the base svgalib, then
you have a problem. NOTE: The Debian package for svgalib 1.3 directs the
output to /etc/vga, so it is safe. I'm not sure if redhat has this changed
or not.
On Thu, 21 Oct 1999, Adrian Voinea wrote:
> Hello,
> savetextmode, a utility that comes with SVGATextMode 1.8, saves the text
> mode data in /tmp, in two files with the mode 644:
>
> [/tmp]
> root@Death# ls -lA
> total 1
> drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
>
> [/tmp]
> root@Death# savetextmode
> svgalib: Using S3 driver (Trio64, 4096K).
> svgalib: s3: chipsets newer than S3-864 is not supported well yet.
> svgalib: RAMDAC: Trio64: MCLK = 47.131 MHz
>
> [/tmp]
> root@Death# ls -lA
> total 35
> drwxrwxrwx 2 root gods 1024 Sep 24 1998 .X11-unix/
> -rw-r--r-- 1 root gods 32768 Oct 21 22:56 fontdata
> -rw-r--r-- 1 root gods 385 Oct 21 22:56 textregs
>
- ------------------------------------------------
Ben Collins <b.m.collins@larc.nasa.gov>
UnixGroup Admin - NASA LaRC
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNi9MZCo9WkFm9rsJAQHbbAP9EeG0NUGz0juhWAVe4xX1ax1b7ZWPnC1q
CTGuEn7YvlRSCjRNoNbtaf//YZfubMaJfGf4df3t53FPlD+FfAJsl6d1pT/E5QoS
RCBiT8Y2k2tAPPyXD9zR12vEMyBjEOXf9DZ/U7T40naTr27Pv4rEdmf8arZDtg6m
9gNrLl9nnKk=
=nvuw
-----END PGP SIGNATURE-----