Bugtraq mailing list archives
Re: KDE Screensaver vulnerability
From: pedward () WEBCOM COM (pedward () WEBCOM COM)
Date: Wed, 18 Nov 1998 13:57:43 -0800
Might I suggest that you put a delay into the program, if the password is incorrect. This way it'll be as difficult as using su to detect if you found the correct password. Brute forcing the password list for any given user is more easily accomplished without the delay. You may also want to put some IPC intelligence into the program to detect multiple instances running; anyone can write a proggie which spawns 250 kcheckpass progs, and still get decent throughput. Perhaps a shared memory segment with a mutex would work. And the mutex is held the runtime of the program, providing that the UID of the people running it are the same (50 different people running it once is OK, 1 person running it 50 concurrent times is not). --Perry
Dear Bugtraq subscribers, KDE Screensavers are usually running SUID root. Security issues have been posted to Bugtraq on Nov 16 1998, under the subject "KDE 1.0's klock can be used to gain root priveledges". The KDE team has now published a fix for the KDE1.0 branch and the current branch. With this change, screensavers and klock are not running SUID anymore. This will solve every potential exploit, like misuse of buffer overruns to gain root rights or executing a wrong executable under SUID rights. The following text explains the technique used to solve the problem. An advisory for distributors, users and administrators follows the technical description. Technique --------- An authentification program, kcheckpass, has been introduced. This is a separate, helper program, that runs SUID and is called each time a password has to be checked. The password is passed via STDIN to the program and the result of the authentification process is returned in the return code of the program. This program is small and supposed to be free from security hazzles. Christian Esken <esken () kde org>=FF
-- Perry Harrington System Software Engineer zelur xuniL () http://www.webcom.com perry.harrington () webcom com Think Blue. /\
Current thread:
- KDE Screensaver vulnerability Christian Esken (Nov 18)
- Re: KDE Screensaver vulnerability Jason Axley (Nov 18)
- Re: KDE Screensaver vulnerability pedward () WEBCOM COM (Nov 18)
- 'sudo' recommendations Brian Martin (Nov 18)
- Re: 'sudo' recommendations Cy Schubert (Nov 18)
- Re: 'sudo' recommendations Alexey Kuzmichev (Nov 18)
- Re: 'sudo' recommendations Cy Schubert (Nov 18)
- <Possible follow-ups>
- Re: KDE Screensaver vulnerability pedward () WEBCOM COM (Nov 18)
- Re: KDE Screensaver vulnerability Henrik Nordstrom (Nov 18)