Jan Kybic and Peter Samuelson's BitMap Viewer (BMV) application is a PostScript viewer for the Linux console that does not require X. The application is mainly used for viewing postscript files from DVI output.
BMV is a PostScript-viewing application for Linux that works with the library SVGAlib. SVGAlib is a low-level graphics library for Linux that does not require X Windows. If BMV is compiled against SVGAlib and installed set user id root, as is the default case in Debian 3.0, then an attacker with console access could obtain access to a read/write descriptor to /dev/mem. The attacker could do so by supplying an attack application as the argument to the switch -g.
A read/write descriptor to kernel memory provides an attacker for many possibilities of achieving a root compromise. One such example is the ability to redefine low-level system calls. If getuid32() were modified to return 0, then any user could "su" to root without supplying a password.
iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.
iDEFENSE has verified the existence of the vulnerability in BMV version 1.2 when compiled against SVGALIB version 1.4.3.
Remove the package if it is unused. On systems where BMV is required, remove the set user id bit from the BMV binary with the following command:
# chmod u-s `which bmv`
This prevents attackers from exploiting the vulnerability, but it also prevents regular users from properly utilizing BMV.
This issue was reportedly fixed in version 1.2a of BMV.
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned to this issue.
11/28/2002 Exploit acquired by iDEFENSE
12/01/2002 Initial vendor notification
12/13/2002 iDEFENSE Clients notified
12/27/2002 Public Disclosure
Andrew Griffiths is credited with this discovery.
Get paid for vulnerability research
Copyright © 2004 Verisign, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email firstname.lastname@example.org for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,