gpm-root fails to correctly release GID 0 membership for user defined menus

Overview

gpm-root does not properly drop group privileges. Local users can gain group privileges by starting a utility from gpm-root. The gpm package is usually included in Linux distributions, and can be started from the command line or in the startup script /etc/rc.d/rc.local.

Description

gpm (General Purpose Mouse) is the program that lets you use the mouse in console mode when not using XWindows. It is usually included in Linux distributions, and can be started from the command line or in the startup script /etc/rc.d/rc.local. gpm-root is a program in the gpm package that allow the use of menus in console mode when Ctrl + Mousebutton is pressed. The gpm-root daemon in gpm version 1.19.1 and earlier lets the user execute any command with elevated group privileges. To exploit this problem, gpm-root must be running on a machine and the user needs both to login to that machine and to have physical access to the keyboard and mouse. When the user selects a utility from a menu, gpm-root starts the associated process with the group and supplementary groups of the gpm-root daemon. A call to setgid fails, providing the user the group privileges of the gpm-root program. The group for the gpm-root binary in the affected installations is root.

---

Impact

A user with console access can use this vulnerability to execute arbitrary commands with elevated group privileges.

---

Solution

Upgrade to gpm version 1.19.2 or later, or apply its setuid(), setgid() and initgruops() related patches.

---

Vendor Information

22091

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

RedHat __ Affected

Notified: July 26, 2000 Updated: June 01, 2001

Status

Affected

Vendor Statement

Red Hat has released a security advisory at <http://www.redhat.com/support/errata/RHSA-2000-045-01.html&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2322091 Feedback>).

TurboLinux __ Affected

Notified: May 26, 2000 Updated: June 01, 2001

Status

Affected

Vendor Statement

TurboLinux has released a security advisory at <http://www.turbolinux.com/pipermail/tl-security-announce/2000-May/000204.html&gt;.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%2322091 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.redhat.com/support/errata/RHSA-2000-045-01.html&gt;
• [ http://www.securityfocus.com/archive/1/56675](< http://www.securityfocus.com/archive/1/56675&gt;)
• [ http://www.turbolinux.com/pipermail/tl-security-announce/2000-May/000204.html ](< http://www.turbolinux.com/pipermail/tl-security-announce/2000-May/000204.html >)

Acknowledgements

Thanks to Egmont Koblinger for discovering this vulnerability.

This document was written by Andy Moore.

Other Information

CVE IDs:	CVE-2000-0229
Severity Metric:	7.59 Date Public: