Re: kon2

[Martin Schulze <joey () FINLANDIA INFODROM NORTH DE>]

Elias Levy wrote:
>   Package : kon2-0.3.8
>   Compromise : root
>   Vulnerable Sistems : All linux sistems that have this package installed.
>   Author : E-Ligth (Hugo Oliveira Dias) - mail : bsphere () clix pt
>
>  Discussion :
>
>    There is a vulnerable suid program, called FLD that is part of the kon2-0.3.8
>   package. This program accepts options input from a text file and its possible
>   to input arbitrary code into the stack and spawning a root shell.

>  This code uses zsh with the name of zh to spawn the shell.
>  The exploit code was developed to participate in Wargames of www.hack3r.com.
>  The target computer was the host hercules.hacker.org running Turbo Linux 6.0.4
>  and my distribution is Linux Mandrake 7.0.Both revealed to be vulnerable to this
>  exploit. I think Debian also as this package but i don´t try this exploit in it.

Yes, Debian distributes kon2 packages:

Debian GNU/Linux 2.1    0.3.7-9
Debian GNU/Linux 2.2    0.3.9b-3

The Debian maintainer for kon2 has decided not to make /usr/bin/fld
setuid, so the exploit doesn seem to work there.

>  I didn't know where to report the bug first, because is the first time i find
>  a suid exploitable program, so i send it to you www.securityfocus.com and so
>  the problem can be solved.

Thanks.

Regards,

        Joey
        Debian Security Team

--
Unix is user friendly ...  It's just picky about its friends.