Bugtraq mailing list archives
Re: simple kde exploit fix
From: bluca () comedia it (Luca Berra)
Date: Mon, 18 May 1998 17:48:45 +0200
On Sun, May 17, 1998 at 02:52:10PM -0500, David Zhao wrote: .....
this fixes the exploit given and is a classic stack overflow exploit, the thing is KDE uses the getenv function multiple times to get the home directory (in other kde suites and programs as well) instead of getting it from the passwd file, strange. Most are not vulnerable cause they aren't suid, but it still seems to be bad programming since you can change the environment from the shell. The only suid programs are klock, kppp, and the *.kss files, I haven't checked the kss programs for bugs yet, but this will fix the klock.
to be safe: #for kde beta 3 and kde beta 4 --- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998 +++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998 @@ -206,6 +206,14 @@ int main( int argc, char *argv[] ) { + initPasswd(); + + if (getgid() != getegid()) + setegid(getgid()); + + if (geteuid() != getuid()) + seteuid(getuid()); + Window saveWin; int timeout = 600; ProgramName = argv[0]; #for kde beta 4: --- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998 +++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998 @@ -286,11 +294,6 @@ } i++; } - - initPasswd(); - // drop root privileges before we do anything important - setuid(getuid()); - if ( mode == MODE_INSTALL ) { #for kde beta 3: --- kdebase/kscreensaver/main.cpp.sec Sat Jan 10 01:13:31 1998 +++ kdebase/kscreensaver/main.cpp Mon Feb 23 19:33:45 1998 @@ -286,8 +294,6 @@ } i++; } - - initPasswd(); if ( mode == MODE_INSTALL ) { this is used by klock and all *.kss files. if you have PAM, kscreensaver need not be suid, the patch is a bit long (6K) so i will not post it here. Regards Luca -- Luca Berra -- bluca () comedia it System and Network Manager - CoMedia s.r.l.
Current thread:
- Re: easy DoS in most RPC apps Peter van Dijk (May 10)
- Re: easy DoS in most RPC apps Peter van Dijk (May 12)
- Re: easy DoS in most RPC apps Bill Trost (May 13)
- <Possible follow-ups>
- Re: easy DoS in most RPC apps Peter van Dijk (May 14)
- Re: easy DoS in most RPC apps David LeBlanc (May 17)
- Re: easy DoS in most RPC apps Scott Stone (May 17)
- Re: easy DoS in most RPC apps Bill Paul (May 17)
- Re: easy DoS in most RPC apps Olaf Kirch (May 18)
- simple kde exploit fix David Zhao (May 17)
- Re: simple kde exploit fix Luca Berra (May 18)
- NFS shell Leendert van Doorn (May 18)
- Re: NFS shell Oliver Friedrichs (May 19)
- Re: NFS shell Leendert van Doorn (May 19)
- Re: easy DoS in most RPC apps Scott Stone (May 17)
- Re: easy DoS in most RPC apps Peter van Dijk (May 12)
- Re: simple kde exploit fix Andreas Jellinghaus (May 18)
- DHCP 1.0 and 2.0 SECURITY ALERT! (fwd) Chris Evans (May 18)