OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [suse-security] Fw: KDE::KApplication feature?
From: bacano (bacanoesoterica.pt)
Date: Thu Jun 01 2000 - 03:16:14 CDT

Hi2all

I did get this just now, and didn't test it, but the author says that tests
were performed on suse 6.4

[ ]'s bacano

----- Original Message -----
From: "Sebastian" <krahmerCS.UNI-POTSDAM.DE>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Wednesday, May 31, 2000 9:38 AM
Subject: KDE::KApplication feature?

> hi,
>
> Can someone check this for some KDE Versions/Linux distributions?
>
> thanx,
> Sebastian
>
> P.S.: Exploit etc. as always on my homepage or at
> http://teso.scene.at
>
>

---------------------------------------------------------------------------- 

----

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> - ------
>
> TESO Security Advisory
> 2000/05/29
>
> KDE KApplication {} configfile vulnerability
>
>
> Summary
> ===================
>
>     A bug within the KDE configuration-file management has been
>     discovered.
>     Due to insecure creation of configuration files via
KApplication-class,
>     local lusers can create arbitrary files when running setuid root
>     KDE-programs.
>     This can result in a complete compromise of the system.
>
>
> Systems Affected
> ===================
>
>     The vulnerability is at least present within KDE 1.1.2.
>     All tests were performed on a SuSE 6.4 standard installation.
>
>
> Tests
> ===================
>
> bash-2.03$ nl /tmp/a.out.cc
>      1 #include <string.h>
>      2 #include <stdlib.h>
>      3 #include <stdio.h>
>      4 #include <kapp.h>
>
>
>      5 int main(int argc, char **argv)
>      6 {
>      7       KApplication *base = new KApplication(argc, argv);
>
>      8       base->exec();
>      9       return 0;
>     10 }
>     11
> bash-2.03$ ls -la /etc/foo
> ls: /etc/foo: No such file or directory
>
> bash-2.04$ ln -s /etc/foo ~/.kde/share/config/a.outrc
> bash-2.03$ ls -la /tmp/a.out
> -rwsr-sr-x   1 root     root        19450 May 28 14:14 /tmp/a.out
> bash-2.03$ /tmp/a.out
> ^C
>
> bash-2.03$ ls -la /etc/foo
> -rw-rw-rw-   1 stealth  500             0 May 28 14:26 /etc/foo
> bash-2.03$
>
>     (Output formatted to improve readability).
>
>
> Impact
> ===================
>
>     An attacker may gain local root-access to a system where vulnerable
KDE
>     distributions are installed.
>     Due to the GUI-nature of KDE, it might become difficult for an
attacker
>     to gain a root-shell on a remote system. However, the individual could
>     modify the DISPLAY environment variable to redirect the output to one
>     of his own machines.
>     A vulnerable system must have at least one setuser-id program
>     installed which utilizes the KApplication class.
>     Such programs include ktvision and ktuner, for an example.
>
>
> Explanation
> ===================
>
>     Obviously, KDE doesn't check for possible symlinks when creating
>     configuration-files. This may result in arbitrary file-creation or
>     chmod's of any file.
>     We assume the bug is within the KApplication::init() function:
>
>     ...
>
>     // now for the local app config file
>     QString aConfigName = KApplication::localkdedir();
>     aConfigName += "/share/config/";
>     aConfigName += aAppName;
>     aConfigName += "rc";
>
>     QFile aConfigFile( aConfigName );
>     ...
>
>
>     This instanciation probably creates the file. However we haven't
checked
>     QFile {} further.
>
>
> Solution
> ===================
>
>     Neither run KDE applications setuid nor setgid.
>     The KDE developers have been informed. A patch should be made
available
>     soon. Upgrade as promptly as possible.
>
>
> Acknowledgments
> ================
>
>     The bug-discovery and the demonstration programs are due to
>     Sebastian "Stealth" Krahmer [1].
>     Further checking on different distributions have been made
>     by Scut.
>
>     This advisory was written by Sebastian and Scut.
>
>
> Contact Information
> ===================
>
>     The TESO crew can be reached by mailing to tesocoredump.cx.
>     Our web page is at http://teso.scene.at/
>
>     Stealth may be reached through [1].
>
>
> References
> ===================
>
>     [1] http://www.cs.uni-potsdam.de/homepages/students/linuxer/
>
>     [2] TESO
> http://teso.scene.at or https://teso.scene.at/
>
>
> Disclaimer
> ===================
>
>     This advisory does not claim to be complete or to be usable for any
>     purpose. Especially information about the vulnerable systems may be
>     inaccurate or wrong. The supplied exploit is not to be used for
malicious
>     purposes, but for educational purposes only.
>
>     This advisory is free for open distribution in unmodified form.
>     Articles that are based on information from this advisory should
include
>     links [1] and [2].
>
>
> Exploit
> ===================
>
>     We've created a working demonstration program to exploit the
vulnerability.
>
>     The exploit is available from
>
>        http://teso.scene.at/ or https://teso.scene.at/
>
>     and
>
>        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
>
>
> - ------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.0 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE5MWgLcZZ+BjKdwjcRAqJfAJwM5ksv/2dm7liESPMlYkQevZcfiACfb45I
> 0Xp/9kMRr1FTMV6r0qh+lao=
> =6q3d
> -----END PGP SIGNATURE-----
>

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com