Bugtraq mailing list archives

serious security hole in KDE Beta 3

From: tudorb () CCO CALTECH EDU (Tudor Bosman)
Date: Fri, 6 Feb 1998 20:06:52 -0800


Hello !

When using shadow passwords, the K Desktop Environment
(http://www.kde.org) screen savers require to be setuid root (in order
to access /etc/shadow).  However, they never drop root privileges...

When starting, they create the file .kss.pid in the home directory as
root, following symbolic links.  And ln -s /etc/shadow ~/.kss.pid
will cause /etc/shadow to be overwritten.

A short patch:

diff -c kscreensaver.orig/main.cpp kscreensaver/main.cpp
*** kscreensaver.orig/main.cpp  Fri Feb  6 19:23:07 1998
--- kscreensaver/main.cpp       Fri Feb  6 19:30:13 1998
***************
*** 289,294 ****
--- 289,298 ----

        initPasswd();

+       // this makes use of the POSIX saved UIDs feature, available
+       // in current Linux versions -- tudorb () caltech edu
+       setuid (getuid ());
+
        if ( mode == MODE_INSTALL )
        {
         if (!canGetPasswd) {

--
Tudor Bosman
E-mail:  tudorb () its caltech edu   Phone: (626) 683-3813
Address: Caltech MSC #345, Pasadena, CA 91126-0345, USA

Current thread:

Windows 95 Serv-U FTP bug whiz (Feb 04)
- <Possible follow-ups>
- Re: Windows 95 Serv-U FTP bug tl (Feb 05)
  - Re: Windows 95 Serv-U FTP bug Alan Thew (Feb 06)
  - SMB signing NT chall / response Mudgenski Von Splat (Feb 06)
  - L0pht Advisory - NT port binding vulnerability Weld Pond (Feb 06)
  - An update on MS private key (in)security issues Aleph One (Feb 06)
  - Another ld-linux.so problem Solar Designer (Feb 06)
    - CERT Advisory CA-98.04 - NT.WebServers Phillip R. Jaenke (Feb 06)
    - Re: CERT Advisory CA-98.04 - NT.WebServers David LeBlanc (Feb 06)
    - serious security hole in KDE Beta 3 Tudor Bosman (Feb 06)
    - Re: Another ld-linux.so problem joost witteveen (Feb 07)
    - Re: Another ld-linux.so problem Solar Designer (Feb 07)
    - Re: Another ld-linux.so problem carson () tla org (Feb 07)
    - Re: Another ld-linux.so problem Aleph One (Feb 08)
    - www-sql cgi prog overrides .htaccess restrictions. Mr LEROY christophe (Feb 09)
    - Re: www-sql cgi prog overrides .htaccess restrictions. Stunt Pope (Feb 09)
    - SNI-24: IDS Vulnerabilities Secure Networks Inc. (Feb 09)
    - AIX/Gradient iFOR/LS bug: follows symlinks Joerg Schumacher (Feb 09)
    - Re: AIX/Gradient iFOR/LS bug: follows symlinks Troy A. Bollinger (Feb 09)
    - CFP - Recent Advances in Intrusion Detection (RAID'98) Marc Dacier (Feb 10)

(Thread continues...)