[16103] in bugtraq
Re: kon2
daemon@ATHENA.MIT.EDU (Martin Schulze)
Mon Aug 7 04:32:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20000807002637.A21659@finlandia.infodrom.north.de>
Date: Mon, 7 Aug 2000 00:26:37 +0200
Reply-To: Martin Schulze <joey@infodrom.north.de>
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
X-To: Hugo Oliveira Dias <bsphere@clix.pt>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000804095642.G5625@securityfocus.com>; from
aleph1@SECURITYFOCUS.COM on Fri, Aug 04, 2000 at 09:56:42AM -0700
Elias Levy wrote:
> Package : kon2-0.3.8
> Compromise : root
> Vulnerable Sistems : All linux sistems that have this package installed.
> Author : E-Ligth (Hugo Oliveira Dias) - mail : bsphere@clix.pt
>
> Discussion :
>
> There is a vulnerable suid program, called FLD that is part of the kon2-0.3.8
> package. This program accepts options input from a text file and its possible
> to input arbitrary code into the stack and spawning a root shell.
> This code uses zsh with the name of zh to spawn the shell.
> The exploit code was developed to participate in Wargames of www.hack3r.com.
> The target computer was the host hercules.hacker.org running Turbo Linux 6.0.4
> and my distribution is Linux Mandrake 7.0.Both revealed to be vulnerable to this
> exploit. I think Debian also as this package but i don4t try this exploit in it.
Yes, Debian distributes kon2 packages:
Debian GNU/Linux 2.1 0.3.7-9
Debian GNU/Linux 2.2 0.3.9b-3
The Debian maintainer for kon2 has decided not to make /usr/bin/fld
setuid, so the exploit doesn seem to work there.
> I didn't know where to report the bug first, because is the first time i find
> a suid exploitable program, so i send it to you www.securityfocus.com and so
> the problem can be solved.
Thanks.
Regards,
Joey
Debian Security Team
--
Unix is user friendly ... It's just picky about its friends.
