This bug has been fixed a while ago. Users of kppp in a security sensitive environment should upgrade to kppp-1.1.3. Furthermore, I urge users of kppp in a security sensitive environment to not run kppp SETUID root, but rather to create a modem group. kppp-1.1.3 is available in the kdenetwork package in the snapshots directory on ftp.kde.org and its mirrors. Best Regards, Bernd Wuebben > I found an xploitable bug in my kppp application that comes with KDE >env. >Local user can execute malicious code to obtain root access/shell. > >gollum:~$ cd /usr/local/kde/bin >gollum:/usr/local/kde/bin$ ls -la kppp >-rwsr-xr-x 1 root root 262516 Mar 15 01:17 kppp* >( ^- suid!) > >gollum:/usr/local/kde/bin$ kppp -h >kppp -- valid command line options: > -h describe command line options > -c account_name : connect to account account_name > -q : quit after end of connection > -r rule_file: check syntax of rule_file > > I discover that -c option is buggy and root xploitable buffer overflow. -------------------------------------------------------------------- Bernd Johannes Wuebben wuebbenat_private wuebbenat_private wuebbenat_private --------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:45 PDT