OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: kon2
From: Martin Schulze (joeyFINLANDIA.INFODROM.NORTH.DE)
Date: Sun Aug 06 2000 - 17:26:37 CDT

Elias Levy wrote:
> Package : kon2-0.3.8
> Compromise : root
> Vulnerable Sistems : All linux sistems that have this package installed.
> Author : E-Ligth (Hugo Oliveira Dias) - mail : bsphereclix.pt
>
> Discussion :
>
> There is a vulnerable suid program, called FLD that is part of the kon2-0.3.8
> package. This program accepts options input from a text file and its possible
> to input arbitrary code into the stack and spawning a root shell.

> This code uses zsh with the name of zh to spawn the shell.
> The exploit code was developed to participate in Wargames of www.hack3r.com.
> The target computer was the host hercules.hacker.org running Turbo Linux 6.0.4
> and my distribution is Linux Mandrake 7.0.Both revealed to be vulnerable to this
> exploit. I think Debian also as this package but i donīt try this exploit in it.

Yes, Debian distributes kon2 packages:

Debian GNU/Linux 2.1 0.3.7-9
Debian GNU/Linux 2.2 0.3.9b-3

The Debian maintainer for kon2 has decided not to make /usr/bin/fld
setuid, so the exploit doesn seem to work there.

> I didn't know where to report the bug first, because is the first time i find
> a suid exploitable program, so i send it to you www.securityfocus.com and so
> the problem can be solved.

Thanks.

Regards,

        Joey
        Debian Security Team 

--
Unix is user friendly ...  It's just picky about its friends.