[6796] in bugtraq
Re: simple kde exploit fix
daemon@ATHENA.MIT.EDU (Luca Berra)
Mon May 18 14:11:57 1998
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: Mon, 18 May 1998 17:48:45 +0200
Reply-To: bluca@comedia.it
From: Luca Berra <bluca@COMEDIA.IT>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980517144346.10501A-100000@lurk.kellogg.nwu.edu>;
from David Zhao on Sun, May 17, 1998 at 02:52:10PM -0500
On Sun, May 17, 1998 at 02:52:10PM -0500, David Zhao wrote:
.....
>
> this fixes the exploit given and is a classic stack overflow exploit, the
> thing is KDE uses the getenv function multiple times to get the home
> directory (in other kde suites and programs as well) instead of getting it
> from the passwd file, strange. Most are not vulnerable cause they aren't
> suid, but it still seems to be bad programming since you can change the
> environment from the shell. The only suid programs are klock, kppp, and
> the *.kss files, I haven't checked the kss programs for bugs yet, but this
> will fix the klock.
>
to be safe:
#for kde beta 3 and kde beta 4
--- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998
@@ -206,6 +206,14 @@
int main( int argc, char *argv[] )
{
+ initPasswd();
+
+ if (getgid() != getegid())
+ setegid(getgid());
+
+ if (geteuid() != getuid())
+ seteuid(getuid());
+
Window saveWin;
int timeout = 600;
ProgramName = argv[0];
#for kde beta 4:
--- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998
@@ -286,11 +294,6 @@
}
i++;
}
-
- initPasswd();
- // drop root privileges before we do anything important
- setuid(getuid());
-
if ( mode == MODE_INSTALL )
{
#for kde beta 3:
--- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998
@@ -286,8 +294,6 @@
}
i++;
}
-
- initPasswd();
if ( mode == MODE_INSTALL )
{
this is used by klock and all *.kss files.
if you have PAM, kscreensaver need not be suid, the patch is a bit long
(6K) so i will not post it here.
Regards
Luca
--
Luca Berra -- bluca@comedia.it
System and Network Manager - CoMedia s.r.l.
