An svgalib vulnerability

From: Matan Ziv-Av (matan@arava.co.il)
Date: Sat 24 Oct 1998 - 22:19:32 IST

• Next message: Jarno Paananen: "Re: configuring svgalib for ET6000"
• Previous message: Mithras: "configuring svgalib for ET6000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

A new zgv vulnerability was discovered
(http://csclub.stthomas.edu/~bugtraq/msg02075.html)
that is actually an svgalib vulnerability:
While svgalib gives up root privileges right after initialization, it
keeps an open file descriptor for /dev/mem, which the program can
write, and thus gain root access. The problem is not only with
programs that have a stack overflow vulnerability, but also for
programs that by design run other (arbitrary) programs (such as zgv,
tmview). 

The only solution I can think of is using mmap to do something like
phys(2) (which is not implemented), and then closing the /dev/mem file
descriptor (if it is possible).

Can anyone tell me whether this can work, and if not, is there another
solution?
 


Matan Ziv-Av.        zivav@cs.bgu.ac.il

• Next message: Jarno Paananen: "Re: configuring svgalib for ET6000"
• Previous message: Mithras: "configuring svgalib for ET6000"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed 21 Jan 2004 - 22:10:22 IST