Re: Linux GNOME exploit




This would actually be an overflow exploit in esdlib.
Attached is a patch for your review.  Many people
install x11amp setuid root for the real-time process
scheduling.  It's conceivable that other audio apps
may be installed similarly.

        * esdlib.c (esd_connect_tcpip): buffer overflow exploit plugged.
        BugTraq's example was 80 bytes long, make the buffer bigger than
        that, and actually check its size before doing the strncpy.

Index: esdlib.c
===================================================================
RCS file: /cvs/gnome/esound/esdlib.c,v
retrieving revision 1.63
diff -u -b -B -p -r1.63 esdlib.c
--- esdlib.c    1999/09/04 00:16:38     1.63
+++ esdlib.c    1999/09/29 00:10:03
@@ -425,7 +425,7 @@ esd_connect_tcpip(const char *host)
     int socket_out = -1;
     int curstate = 1;
     char default_host[] = "0.0.0.0";
-    char connect_host[64];
+    char connect_host[128] = "0.0.0.0";
     int port = ESD_DEFAULT_PORT;
     unsigned int host_div = 0;
   
@@ -437,6 +437,12 @@ esd_connect_tcpip(const char *host)
     
        /* get host */
        if ( host_div ) {
+           if ( host_div >= 128 ) {
+               fprintf( stderr, "ESPEAKER host name too long: \"%s\"!\n", 
+                        espeaker );
+               return -1;
+           }
+
            strncpy( connect_host, espeaker, host_div );
            connect_host[ host_div ] = '\0';
        } else {

> > If the problem exists at all, it's a Mandrake-specific packaging error,
> > not anything to do with GNOME. nethack is not part of Red Hat Linux, does
> > not use GNOME or esound, and is not installed s[ug]id root in the
> > powertools package.
> >
> 
> Gnomehack does use gnomelibs. Never tried Gnomehack, Elliot? Shame on
> you. :) Anyway, it should be setgid games (to give it permission to
> write high scores in /var/lib/games/gnomehack per the ancient nethack
> way of doing things). If it is setgid root, that is somebody elses
> fault, not mine. The way I put gnomehack together, the worst that could
> happen on a buffer overflow would be that somebody gets to fake a high
> score.

-- ebm
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
|  __                         a.k.a. Eric B. Mitchell |
|  |_) .  _  _|      _|  _        ricdude@toad.net    |
|  | \ ( (_ (_| (_| (_| (/_    www.toad.net/~ricdude  |
| How's My Programming?   Call:  1 - 800 - DEV - NULL |
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]