[8599] in bugtraq
Re: KDE Screensaver vulnerability
daemon@ATHENA.MIT.EDU (pedward@WEBCOM.COM)
Wed Nov 18 17:16:58 1998
Date: Wed, 18 Nov 1998 13:57:43 -0800
Reply-To: pedward@WEBCOM.COM
From: pedward@WEBCOM.COM
X-To: esken@kde.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <98111823022300.05923@magicon> from "Christian Esken" at Nov 18,
98 11:11:06 pm
Might I suggest that you put a delay into the program, if the password
is incorrect. This way it'll be as difficult as using su to detect if
you found the correct password. Brute forcing the password list for
any given user is more easily accomplished without the delay. You
may also want to put some IPC intelligence into the program to detect
multiple instances running; anyone can write a proggie which spawns
250 kcheckpass progs, and still get decent throughput.
Perhaps a shared memory segment with a mutex would work. And the mutex
is held the runtime of the program, providing that the UID of the people
running it are the same (50 different people running it once is OK, 1
person running it 50 concurrent times is not).
--Perry
>
> Dear Bugtraq subscribers,
>
>
> KDE Screensavers are usually running SUID root. Security issues have
> been posted to Bugtraq on Nov 16 1998, under the subject "KDE 1.0's
> klock can be used to gain root priveledges". The KDE team has now
> published a fix for the KDE1.0 branch and the current branch.
>
> With this change, screensavers and klock are not running SUID anymore.
> This will solve every potential exploit, like misuse of buffer overruns
> to gain root rights or executing a wrong executable under SUID rights.
>
> The following text explains the technique used to solve the problem.
> An advisory for distributors, users and administrators follows the
> technical description.
>
>
> Technique
> ---------
> An authentification program, kcheckpass, has been introduced. This
> is a separate, helper program, that runs SUID and is called each
> time a password has to be checked. The password is passed via
> STDIN to the program and the result of the authentification
> process is returned in the return code of the program.
> This program is small and supposed to be free from security hazzles.
>
> Christian Esken <esken@kde.org>=FF
>
--
Perry Harrington System Software Engineer zelur xuniL ()
http://www.webcom.com perry.harrington@webcom.com Think Blue. /\
