Bugtraq mailing list archives

Re: simple kde exploit fix

From: bluca () comedia it (Luca Berra)
Date: Mon, 18 May 1998 17:48:45 +0200


On Sun, May 17, 1998 at 02:52:10PM -0500, David Zhao wrote:
.....


this fixes the exploit given and is a classic stack overflow exploit, the
thing is KDE uses the getenv function multiple times to get the home
directory (in other kde suites and programs as well) instead of getting it
from the passwd file, strange. Most are not vulnerable cause they aren't
suid, but it still seems to be bad programming since you can change the
environment from the shell. The only suid programs are klock, kppp, and
the *.kss files, I haven't checked the kss programs for bugs yet, but this
will fix the klock.


to be safe:
#for kde beta 3 and kde beta 4
--- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
@@ -206,6 +206,14 @@

 int main( int argc, char *argv[] )
 {
+       initPasswd();
+
+       if (getgid() != getegid())
+               setegid(getgid());
+
+       if (geteuid() != getuid())
+               seteuid(getuid());
+
        Window saveWin;
        int timeout = 600;
        ProgramName = argv[0];
#for kde beta 4:
--- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
@@ -286,11 +294,6 @@
                }
            i++;
        }
-
-       initPasswd();
-       // drop root privileges before we do anything important
-       setuid(getuid());
-

        if ( mode == MODE_INSTALL )
        {
#for kde beta 3:
--- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
@@ -286,8 +294,6 @@
                }
            i++;
        }
-
-       initPasswd();

        if ( mode == MODE_INSTALL )
        {

this is used by klock and all *.kss files.
if you have PAM, kscreensaver need not be suid, the patch is a bit long
(6K) so i will not post it here.

Regards
Luca
--
Luca Berra -- bluca () comedia it
    System and Network Manager - CoMedia s.r.l.

Current thread:

Re: easy DoS in most RPC apps Peter van Dijk (May 10)
- Re: easy DoS in most RPC apps Peter van Dijk (May 12)
  - Re: easy DoS in most RPC apps Bill Trost (May 13)
- <Possible follow-ups>
- Re: easy DoS in most RPC apps Peter van Dijk (May 14)
- Re: easy DoS in most RPC apps David LeBlanc (May 17)
  - Re: easy DoS in most RPC apps Scott Stone (May 17)
    - Re: easy DoS in most RPC apps Bill Paul (May 17)
    - Re: easy DoS in most RPC apps Olaf Kirch (May 18)
    - simple kde exploit fix David Zhao (May 17)
    - Re: simple kde exploit fix Luca Berra (May 18)
    - NFS shell Leendert van Doorn (May 18)
    - Re: NFS shell Oliver Friedrichs (May 19)
    - Re: NFS shell Leendert van Doorn (May 19)
    - Re: simple kde exploit fix Andreas Jellinghaus (May 18)
    - DHCP 1.0 and 2.0 SECURITY ALERT! (fwd) Chris Evans (May 18)