wmtv: Fix security hole.
Patch by Nicolas Boullis <Boullis.Nicolas@libertysurf.fr>. From [1]: From: Nicolas Boullis <Boullis.Nicolas@libertysurf.fr> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: wmtv: dangerous suid root Date: Thu, 08 Nov 2001 20:07:52 +0100 Hi ! I think there is a huge security hole with wmtv and, when wmtv is installed, anyone can easily get a root account. Here is what I have in my terminal: (everytime I launch wmtv, I double-clicked in the tv subwindow to call the external program) ---------------------------------------------------------------------- Tintin:~> wmtv -e whoami root Tintin:~> cat > crack_root.sh #!/bin/sh cp /bin/sh /tmp chmod u+s /tmp/sh Tintin:~> chmod +x crack_root.sh Tintin:~> wmtv -e ~/crack_root.sh Tintin:~> ll /tmp/sh -rwsr-xr-x 1 root users 407356 Nov 8 19:25 /tmp/sh* ---------------------------------------------------------------------- I tried to make wmtv non-suid root, and... sometimes it works (despite an error message), sometimes it does not... ---------------------------------------------------------------------- Tintin:~> ll /usr/bin/X11/wmtv -rwxr-xr-x 1 root root 62588 Jul 31 01:55 /usr/bin/X11/wmtv* Tintin:~> wmtv ioctl VIDIOCSFBUF: Operation not permitted Tintin:~> wmtv ioctl VIDIOCSFBUF: Operation not permitted wmtv: no physical frame buffer access ---------------------------------------------------------------------- Hence, I guess you should either correct wmtv so that it always work without being suid root, or make wmtv lose its privileges before it runs an external program. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=118778
This commit is contained in:
parent
199e0065fe
commit
74bc5a7660
|
@ -249,7 +249,7 @@ main(int argc, char *argv[])
|
||||||
break;
|
break;
|
||||||
case 'e':
|
case 'e':
|
||||||
exe = strdup(optarg);
|
exe = strdup(optarg);
|
||||||
strcat(exe, " &");
|
/* strcat(exe, " &"); */
|
||||||
break;
|
break;
|
||||||
case 'b':
|
case 'b':
|
||||||
fprintf(stderr, "wmtv: option not implemented yet\n");
|
fprintf(stderr, "wmtv: option not implemented yet\n");
|
||||||
|
@ -439,7 +439,17 @@ main(int argc, char *argv[])
|
||||||
if (exe) {
|
if (exe) {
|
||||||
ntfb_status = SETOFF;
|
ntfb_status = SETOFF;
|
||||||
TVOff();
|
TVOff();
|
||||||
system(exe);
|
/* system(exe); */
|
||||||
|
if (fork() == (pid_t) 0) {
|
||||||
|
char *argv[4];
|
||||||
|
setuid(getuid()); /* Drop the privileges */
|
||||||
|
argv[0] = "sh";
|
||||||
|
argv[1] = "-c";
|
||||||
|
argv[2] = exe;
|
||||||
|
argv[3] = NULL;
|
||||||
|
execv("/bin/sh", argv);
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
#if 0
|
#if 0
|
||||||
pid = fork();
|
pid = fork();
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue