Public Vulnerability Reports

BitMap Viewer Local Read and Write Kernel Memory Vulnerability

12.27.02

BACKGROUND

Jan Kybic and Peter Samuelson's BitMap Viewer (BMV) application is a PostScript viewer for the Linux console that does not require X. The application is mainly used for viewing postscript files from DVI output.

DESCRIPTION

BMV is a PostScript-viewing application for Linux that works with the library SVGAlib. SVGAlib is a low-level graphics library for Linux that does not require X Windows. If BMV is compiled against SVGAlib and installed set user id root, as is the default case in Debian 3.0, then an attacker with console access could obtain access to a read/write descriptor to /dev/mem. The attacker could do so by supplying an attack application as the argument to the switch -g.

ANALYSIS

A read/write descriptor to kernel memory provides an attacker for many possibilities of achieving a root compromise. One such example is the ability to redefine low-level system calls. If getuid32() were modified to return 0, then any user could "su" to root without supplying a password.

iDEFENSE has proof of concept exploit code demonstrating the impact of this vulnerability.

DETECTION

iDEFENSE has verified the existence of the vulnerability in BMV version 1.2 when compiled against SVGALIB version 1.4.3.

WORKAROUND

Remove the package if it is unused. On systems where BMV is required, remove the set user id bit from the BMV binary with the following command:

# chmod u-s `which bmv`

This prevents attackers from exploiting the vulnerability, but it also prevents regular users from properly utilizing BMV.

VENDOR RESPONSE

This issue was reportedly fixed in version 1.2a of BMV.

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned to this issue.

DISCLOSURE TIMELINE

11/28/2002   Exploit acquired by iDEFENSE
12/01/2002   Initial vendor notification
12/13/2002   iDEFENSE Clients notified
12/27/2002   Public Disclosure

CREDIT

Andrew Griffiths is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.