Bugtraq mailing list archives
Security hole in kppp
From: tdp () psynet net (|[TDP]|)
Date: Wed, 29 Apr 1998 12:39:19 +0200
I found an xploitable bug in my kppp application that comes with KDE env. Local user can execute malicious code to obtain root access/shell. gollum:~$ cd /usr/local/kde/bin gollum:/usr/local/kde/bin$ ls -la kppp -rwsr-xr-x 1 root root 262516 Mar 15 01:17 kppp* ( ^- suid!) gollum:/usr/local/kde/bin$ kppp -h kppp -- valid command line options: -h describe command line options -c account_name : connect to account account_name -q : quit after end of connection -r rule_file: check syntax of rule_file I discover that -c option is buggy and root xploitable buffer overflow. With 244 or < chars (X's) executes with out problems With 245 chars (X's) gives me an error gollum:/usr/local/kde/bin$ kppp -c XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Virtual memory exceed in `new' With 246 or > (until about 1024) chars (X's) cause a core dump :) gollum:/usr/local/kde/bin$ kppp -c XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Segmentation fault (core dumped) ^^^^^^^^^^^^ Security hole... Dangerous, isn't it? Remove the suid bit or wait for a patch -=[ [TDP] - H-13 MeMBaH ]=- -=[ tdp () psynet net ]=-
Current thread:
- Security hole in kppp |[TDP]| (Apr 29)
- <Possible follow-ups>
- Re: Security hole in kppp Bernd Johannes Wuebben (Apr 29)