Bugtraq mailing list archives
Re: KDE 1.0's klock can be used to gain root priveledges
From: vandry () MLINK NET (Phillip Vandry)
Date: Tue, 17 Nov 1998 12:03:52 -0500
The SUID program klock shipped with KDE 1.0 attempts to execute kblankscrn.kss in the same directory as it. If kblankscrn.kss cannot be executed (missing or mode -x) then klock will search the current user's $PATH for any executable with the same name and execute it as ROOT. If no executable is found in the current path it gives this message:
How does klock know which directory it is itself in? As far as I know, there is no secure way for a program to find out where its own executable is located, therefore it should also be able to convince it to execute a trojan kblankscrn.kss without having to move anything? -Phil
Current thread:
- Re: ISS Security Advisory: Hidden community string in SNMP, (continued)
- Re: ISS Security Advisory: Hidden community string in SNMP Raphael Muzzio (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 17)
- nftp vulnerability (fwd) Eric Wanner (Nov 16)
- ISSalert: ISS Security Update Aleph One (Nov 16)
- Re: ISS Security Advisory: Hidden community string in SNMP sugarat (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP Raphael Muzzio (Nov 15)
- Re: ISS Security Advisory: Hidden community string in SNMP Matt M. Morris (Nov 16)
- Security Bulletins Digest (fwd) Piotr Strzy¿ewski (Nov 16)
- KDE 1.0's klock can be used to gain root priveledges HD Moore (Nov 16)
- Re: KDE 1.0's klock can be used to gain root priveledges Phillip Vandry (Nov 17)