Re: [VulnWatch] KDE 2/3 artsd 1.0.0 local root exploit

[H D Moore <hdm () digitaloffense net>]

The artsd binary is not setuid, its supposed to be called by the setuid 
artswrapper application (which sets a higher scheduling priority, 
setuid(getuid())'s and executes the real artsd binary. I haven't bothered 
to look through the shellcode for backdoors yet...

---

hdm@masada:/tools> head -n 20 bp_artsd.c && ls -la /opt/kde3/bin/artsd && 
cat /etc/SuSE-release

/* bp_artsd.c
 * KDE 2/3 artsd 1.0.0 local root exploit
 *
 * credits: dvorak (helped me A LOT!@#), electronicsouls.org
 *
 * greets:
 * bp members, dvorak, null, r00t, obz, rafa, nouse, module, phrack man,
 * philer, preamble, eth1cal
 * fucks to: fd0 (du schwule schlumpf)
 *
 * -kokane <kokane () segfault ch>
 */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

#define BSIZE   1033
#define ESIZE   5120
#define RET     0xbffff808      /* tested on suse linux 8.0  */

-rwxr-xr-x    1 root     root       126696 May 14 19:30 
/opt/kde3/bin/artsd

SuSE Linux 8.0 (i386)
VERSION = 8.0




On Monday 29 July 2002 12:55, kokane wrote:
> KDE 2/3 artsd 1.0.0 local root exploit PoC.
>
> Cheers,
> -kokane