Re: KDE 1.0's klock can be used to gain root priveledges

From: Phillip Vandry (vandryat_private)
Date: Tue Nov 17 1998 - 09:03:52 PST

Next message: Mike: "Re: [Linux] klogd 1.3-22 buffer overflow"

Previous message: David LeBlanc: "Re: NAI-30: Windows NT SNMP Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The SUID program klock shipped with KDE 1.0 attempts to execute
> kblankscrn.kss in the same directory as it.  If kblankscrn.kss cannot
> be executed (missing or mode -x) then klock will search the current
> user's $PATH for any executable with the same name and execute it as
> ROOT.  If no executable is found in the current path it gives this
> message:

How does klock know which directory it is itself in? As far as I know,
there is no secure way for a program to find out where its own
executable is located, therefore it should also be able to convince
it to execute a trojan kblankscrn.kss without having to move anything?

-Phil

Next message: Mike: "Re: [Linux] klogd 1.3-22 buffer overflow"
Previous message: David LeBlanc: "Re: NAI-30: Windows NT SNMP Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:45 PDT