[6631] in bugtraq
Re: Security hole in kppp
daemon@ATHENA.MIT.EDU (Bernd Johannes Wuebben)
Wed Apr 29 18:07:30 1998
Date: Wed, 29 Apr 1998 15:19:40 -0400
Reply-To: Bernd Johannes Wuebben <wuebben@MATH.CORNELL.EDU>
From: Bernd Johannes Wuebben <wuebben@MATH.CORNELL.EDU>
To: BUGTRAQ@NETSPACE.ORG
This bug has been fixed a while ago. Users of kppp in a
security sensitive environment should upgrade to kppp-1.1.3.
Furthermore, I urge users of kppp in a security sensitive
environment to not run kppp SETUID root, but rather to
create a modem group.
kppp-1.1.3 is available in the kdenetwork package in the
snapshots directory on ftp.kde.org and its mirrors.
Best Regards,
Bernd Wuebben
> I found an xploitable bug in my kppp application that comes with KDE
>env.
>Local user can execute malicious code to obtain root access/shell.
>
>gollum:~$ cd /usr/local/kde/bin
>gollum:/usr/local/kde/bin$ ls -la kppp
>-rwsr-xr-x 1 root root 262516 Mar 15 01:17 kppp*
>( ^- suid!)
>
>gollum:/usr/local/kde/bin$ kppp -h
>kppp -- valid command line options:
> -h describe command line options
> -c account_name : connect to account account_name
> -q : quit after end of connection
> -r rule_file: check syntax of rule_file
>
> I discover that -c option is buggy and root xploitable buffer overflow.
--------------------------------------------------------------------
Bernd Johannes Wuebben wuebben@kde.org
wuebben@math.cornell.edu wuebben@acm.org
--------------------------------------------------------------------
