Re: KDE Screensaver vulnerability

From: pedwardat_private
Date: Wed Nov 18 1998 - 13:57:43 PST

Next message: Jason Axley: "Re: KDE Screensaver vulnerability"

Previous message: Christian Esken: "KDE Screensaver vulnerability"
Maybe in reply to: Christian Esken: "KDE Screensaver vulnerability"
Next in thread: Jason Axley: "Re: KDE Screensaver vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Might I suggest that you put a delay into the program, if the password
is incorrect.  This way it'll be as difficult as using su to detect if
you found the correct password.  Brute forcing the password list for
any given user is more easily accomplished without the delay.  You
may also want to put some IPC intelligence into the program to detect
multiple instances running; anyone can write a proggie which spawns
250 kcheckpass progs, and still get decent throughput.

Perhaps a shared memory segment with a mutex would work.  And the mutex
is held the runtime of the program, providing that the UID of the people
running it are the same (50 different people running it once is OK, 1
person running it 50 concurrent times is not).

--Perry

>
> Dear Bugtraq subscribers,
>
>
> KDE Screensavers are usually running SUID root. Security issues have
> been posted to Bugtraq on Nov 16 1998, under the subject "KDE 1.0's
> klock can be used to gain root priveledges". The KDE team has now
> published  a fix for the KDE1.0 branch and the current branch.
>
> With this change, screensavers and klock are not running SUID anymore.
> This will solve every potential exploit, like misuse of buffer overruns
> to gain root rights or executing a wrong executable under SUID rights.
>
> The following text explains the technique used to solve the problem.
> An advisory for distributors, users and administrators follows the
> technical description.
>
>
> Technique
> ---------
> An authentification program, kcheckpass, has been introduced. This
> is a separate, helper program, that runs SUID and is called each
> time a password has to be checked. The password is passed via
> STDIN to the program and the result of the authentification
> process is returned in the return code of the program.
> This program is small and supposed to be free from security hazzles.
>
> Christian Esken <eskenat_private>=FF
>


--
Perry Harrington        System Software Engineer    zelur xuniL  ()
http://www.webcom.com  perry.harringtonat_private  Think Blue.  /\

Next message: Jason Axley: "Re: KDE Screensaver vulnerability"
Previous message: Christian Esken: "KDE Screensaver vulnerability"
Maybe in reply to: Christian Esken: "KDE Screensaver vulnerability"
Next in thread: Jason Axley: "Re: KDE Screensaver vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:23:51 PDT