kajgan / fbterm

Automatically exported from code.google.com/p/fbterm
0 stars 0 forks source link

Root escalation if installed setuid as suggested in man page #77

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
It's vital to check the return result of seteuid, especially when the caller is 
UID 0; the call can be made to fail by an attacker, causing a root escalation 
vulnerability.

http://man7.org/linux/man-pages/man2/seteuid.2.html says:
    On success, zero is returned.  On error, -1 is returned, and errno is
    set appropriately.

    Note: there are cases where seteuid() can fail even when the caller
    is UID 0; it is a grave security error to omit checking for a failure
    return from seteuid().

A grep shows the following line numbers:

fbshell.cpp:562
vesadev.cpp:130
vesadev.cpp:287
input.cpp:168

These locations all have vulnerable seteuid(getuid()) calls.

Original issue reported on code.google.com by cwi...@gmail.com on 28 May 2015 at 12:49