[26389] in bugtraq
Re: [VulnWatch] KDE 2/3 artsd 1.0.0 local root exploit
daemon@ATHENA.MIT.EDU (H D Moore)
Mon Jul 29 18:10:42 2002
Content-Type: text/plain;
charset="iso-8859-1"
From: H D Moore <hdm@digitaloffense.net>
To: "kokane" <kokane@segfault.ch>, <bugtraq@securityfocus.com>,
<vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>
Date: Mon, 29 Jul 2002 13:43:30 -0500
In-Reply-To: <000a01c23729$1a744710$56dde6c2@cuntNIX>
MIME-Version: 1.0
Message-Id: <200207291343.31929.hdm@digitaloffense.net>
Content-Transfer-Encoding: 8bit
The artsd binary is not setuid, its supposed to be called by the setuid
artswrapper application (which sets a higher scheduling priority,
setuid(getuid())'s and executes the real artsd binary. I haven't bothered
to look through the shellcode for backdoors yet...
---
hdm@masada:/tools> head -n 20 bp_artsd.c && ls -la /opt/kde3/bin/artsd &&
cat /etc/SuSE-release
/* bp_artsd.c
* KDE 2/3 artsd 1.0.0 local root exploit
*
* credits: dvorak (helped me A LOT!@#), electronicsouls.org
*
* greets:
* bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man,
* philer, preamble, eth1cal
* fucks to: fd0 (du schwule schlumpf)
*
* -kokane <kokane@segfault.ch>
*/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#define BSIZE 1033
#define ESIZE 5120
#define RET 0xbffff808 /* tested on suse linux 8.0 */
-rwxr-xr-x 1 root root 126696 May 14 19:30
/opt/kde3/bin/artsd
SuSE Linux 8.0 (i386)
VERSION = 8.0
On Monday 29 July 2002 12:55, kokane wrote:
> KDE 2/3 artsd 1.0.0 local root exploit PoC.
>
> Cheers,
> -kokane
