[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: gtk+ security hole.

To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject: Re: gtk+ security hole.
From: Rob Mosher <rmosher@xxxxxxxxxxxxx>
Date: Tue, 2 Jan 2001 16:13:58 -0500
Approved-by: beng@xxxxxxxxxxxxxxxxx
References: <20010102001535.14133.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: Rob Mosher <rmosher@xxxxxxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; U; Linux 2.2.16 i686; en-US; m18) Gecko/20001231

A simple fix to this would be to drop priveleges before calling
gtk_init(), another easy fix is to modify gtk itself, to do this you
need to make the following modification of gtkmain.c.  In gtk-1.2.8 its
at approximately line 215, you have:

  env_string = getenv ("GTK_MODULES");

add the following line above it:
  if(geteuid() != getuid())

This will prevent gtk from loading modules if the program calling
gtk_init has a different euid than the uid.

Chris Sharp wrote:

while going through a quick audit of gtk i found:

gtk+ can be tricked into running arbitrary code
via a bogus module.  this means any program using
gtk that is set*id can be exploited via this
method.  here is an exploit i wrote for this
security hole:


original xgtk.c(working/un-wrapped):
http://realhalo.org/xgtk.c

[snip]

--
Rob Mosher
Lead Programmer / Systems Engineer
Lightning Internet Services, LLC

Follow-Ups:
- Re: gtk+ security hole.
  - From: Rob Mosher
- Re: gtk+ security hole.
  - From: Kain

References:
- gtk+ security hole.
  - From: Chris Sharp

Prev by Date: Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability
Next by Date: Re: Securax Advisory 11
Previous by thread: gtk+ security hole.
Next by thread: Re: gtk+ security hole.
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.