[8592] in bugtraq
Re: KDE 1.0's klock can be used to gain root priveledges
daemon@ATHENA.MIT.EDU (Phillip Vandry)
Wed Nov 18 13:19:06 1998
Date: Tue, 17 Nov 1998 12:03:52 -0500
Reply-To: Phillip Vandry <vandry@MLINK.NET>
From: Phillip Vandry <vandry@MLINK.NET>
X-To: HD Moore <hdmoore@USA.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 16 Nov 1998 19:57:51 EST."
<00a101be11cd$b00a8580$0100a8c0@entropy>
> The SUID program klock shipped with KDE 1.0 attempts to execute
> kblankscrn.kss in the same directory as it. If kblankscrn.kss cannot
> be executed (missing or mode -x) then klock will search the current
> user's $PATH for any executable with the same name and execute it as
> ROOT. If no executable is found in the current path it gives this
> message:
How does klock know which directory it is itself in? As far as I know,
there is no secure way for a program to find out where its own
executable is located, therefore it should also be able to convince
it to execute a trojan kblankscrn.kss without having to move anything?
-Phil
