NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vulnwatch> 2002-q3

From: H D Moore (hdm_at_digitaloffense.net)
Date: Mon Jul 29 2002 - 13:43:30 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The artsd binary is not setuid, its supposed to be called by the setuid
artswrapper application (which sets a higher scheduling priority,
setuid(getuid())'s and executes the real artsd binary. I haven't bothered
to look through the shellcode for backdoors yet...

---

hdmmasada:/tools> head -n 20 bp_artsd.c && ls -la /opt/kde3/bin/artsd && cat /etc/SuSE-release

/* bp_artsd.c * KDE 2/3 artsd 1.0.0 local root exploit * * credits: dvorak (helped me A LOT!#), electronicsouls.org * * greets: * bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man, * philer, preamble, eth1cal * fucks to: fd0 (du schwule schlumpf) * * -kokane <kokanesegfault.ch> */

#include <stdio.h> #include <unistd.h> #include <stdlib.h>

#define BSIZE 1033 #define ESIZE 5120 #define RET 0xbffff808 /* tested on suse linux 8.0 */

-rwxr-xr-x 1 root root 126696 May 14 19:30 /opt/kde3/bin/artsd

SuSE Linux 8.0 (i386) VERSION = 8.0

On Monday 29 July 2002 12:55, kokane wrote: > KDE 2/3 artsd 1.0.0 local root exploit PoC. > > Cheers, > -kokane

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]