wmtv: Fix security hole.

Patch by Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>. From [1]: From: Nicolas Boullis <Boullis.Nicolas@libertysurf.fr> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: wmtv: dangerous suid root Date: Thu, 08 Nov 2001 20:07:52 +0100 Hi ! I think there is a huge security hole with wmtv and, when wmtv is installed, anyone can easily get a root account. Here is what I have in my terminal: (everytime I launch wmtv, I double-clicked in the tv subwindow to call the external program) ---------------------------------------------------------------------- Tintin:~> wmtv -e whoami root Tintin:~> cat > crack_root.sh #!/bin/sh cp /bin/sh /tmp chmod u+s /tmp/sh Tintin:~> chmod +x crack_root.sh Tintin:~> wmtv -e ~/crack_root.sh Tintin:~> ll /tmp/sh -rwsr-xr-x 1 root users 407356 Nov 8 19:25 /tmp/sh* ---------------------------------------------------------------------- I tried to make wmtv non-suid root, and... sometimes it works (despite an error message), sometimes it does not... ---------------------------------------------------------------------- Tintin:~> ll /usr/bin/X11/wmtv -rwxr-xr-x 1 root root 62588 Jul 31 01:55 /usr/bin/X11/wmtv* Tintin:~> wmtv ioctl VIDIOCSFBUF: Operation not permitted Tintin:~> wmtv ioctl VIDIOCSFBUF: Operation not permitted wmtv: no physical frame buffer access ---------------------------------------------------------------------- Hence, I guess you should either correct wmtv so that it always work without being suid root, or make wmtv lose its privileges before it runs an external program. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778
2016-02-01 00:45:10 -05:00 · 2016-02-01 00:45:10 -05:00 · 74bc5a7660
parent 199e0065fe
commit 74bc5a7660
1 changed files with 12 additions and 2 deletions
--- a/wmtv/src/wmtv.c
+++ b/wmtv/src/wmtv.c
@ -249,7 +249,7 @@ main(int argc, char *argv[])
 					break;
 				case 'e':
 					exe = strdup(optarg);
-					strcat(exe, " &");
+					/* strcat(exe, " &"); */
 					break;
 				case 'b':
 					fprintf(stderr, "wmtv: option not implemented yet\n");
@ -439,7 +439,17 @@ main(int argc, char *argv[])
 													if (exe) {
 														ntfb_status = SETOFF;
 														TVOff();
-														system(exe);
+														/* system(exe); */
+														if (fork() == (pid_t) 0) {
+														char *argv[4];
+														setuid(getuid()); /* Drop the privileges */
+														argv[0] = "sh";
+														argv[1] = "-c";
+														argv[2] = exe;
+														argv[3] = NULL;
+														execv("/bin/sh", argv);
+														exit(-1);
+														}
 #if 0
 														pid = fork();