Bugtraq mailing list archives
Re: Security hole in kppp
From: wuebben () MATH CORNELL EDU (Bernd Johannes Wuebben)
Date: Wed, 29 Apr 1998 15:19:40 -0400
This bug has been fixed a while ago. Users of kppp in a security sensitive environment should upgrade to kppp-1.1.3. Furthermore, I urge users of kppp in a security sensitive environment to not run kppp SETUID root, but rather to create a modem group. kppp-1.1.3 is available in the kdenetwork package in the snapshots directory on ftp.kde.org and its mirrors. Best Regards, Bernd Wuebben
I found an xploitable bug in my kppp application that comes with KDE env. Local user can execute malicious code to obtain root access/shell. gollum:~$ cd /usr/local/kde/bin gollum:/usr/local/kde/bin$ ls -la kppp -rwsr-xr-x 1 root root 262516 Mar 15 01:17 kppp* ( ^- suid!) gollum:/usr/local/kde/bin$ kppp -h kppp -- valid command line options: -h describe command line options -c account_name : connect to account account_name -q : quit after end of connection -r rule_file: check syntax of rule_file I discover that -c option is buggy and root xploitable buffer overflow.
-------------------------------------------------------------------- Bernd Johannes Wuebben wuebben () kde org wuebben () math cornell edu wuebben () acm org --------------------------------------------------------------------
Current thread:
- Security hole in kppp |[TDP]| (Apr 29)
- <Possible follow-ups>
- Re: Security hole in kppp Bernd Johannes Wuebben (Apr 29)