I found an xploitable bug in my kppp application that comes with KDE
env.
Local user can execute malicious code to obtain root access/shell.
gollum:~$ cd /usr/local/kde/bin
gollum:/usr/local/kde/bin$ ls -la kppp
-rwsr-xr-x 1 root root 262516 Mar 15 01:17 kppp*
( ^- suid!)
gollum:/usr/local/kde/bin$ kppp -h
kppp -- valid command line options:
-h describe command line options
-c account_name : connect to account account_name
-q : quit after end of connection
-r rule_file: check syntax of rule_file
I discover that -c option is buggy and root xploitable buffer overflow.
With 244 or < chars (X's) executes with out problems
With 245 chars (X's) gives me an error
gollum:/usr/local/kde/bin$ kppp -c
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Virtual memory exceed in `new'
With 246 or > (until about 1024) chars (X's) cause a core dump :)
gollum:/usr/local/kde/bin$ kppp -c
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Segmentation fault (core dumped)
^^^^^^^^^^^^ Security hole... Dangerous, isn't it?
Remove the suid bit or wait for a patch
-=[ [TDP] - H-13 MeMBaH
]=-
-=[
tdpat_private ]=-
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:40 PDT