Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: simple kde exploit fix
From: bluca () comedia it (Luca Berra)
Date: Mon, 18 May 1998 17:48:45 +0200


On Sun, May 17, 1998 at 02:52:10PM -0500, David Zhao wrote:
.....

this fixes the exploit given and is a classic stack overflow exploit, the
thing is KDE uses the getenv function multiple times to get the home
directory (in other kde suites and programs as well) instead of getting it
from the passwd file, strange. Most are not vulnerable cause they aren't
suid, but it still seems to be bad programming since you can change the
environment from the shell. The only suid programs are klock, kppp, and
the *.kss files, I haven't checked the kss programs for bugs yet, but this
will fix the klock.


to be safe:
#for kde beta 3 and kde beta 4
--- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
@@ -206,6 +206,14 @@

 int main( int argc, char *argv[] )
 {
+       initPasswd();
+
+       if (getgid() != getegid())
+               setegid(getgid());
+
+       if (geteuid() != getuid())
+               seteuid(getuid());
+
        Window saveWin;
        int timeout = 600;
        ProgramName = argv[0];
#for kde beta 4:
--- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
@@ -286,11 +294,6 @@
                }
            i++;
        }
-
-       initPasswd();
-       // drop root privileges before we do anything important
-       setuid(getuid());
-

        if ( mode == MODE_INSTALL )
        {
#for kde beta 3:
--- kdebase/kscreensaver/main.cpp.sec   Sat Jan 10 01:13:31 1998
+++ kdebase/kscreensaver/main.cpp       Mon Feb 23 19:33:45 1998
@@ -286,8 +294,6 @@
                }
            i++;
        }
-
-       initPasswd();

        if ( mode == MODE_INSTALL )
        {

this is used by klock and all *.kss files.
if you have PAM, kscreensaver need not be suid, the patch is a bit long
(6K) so i will not post it here.

Regards
Luca
--
Luca Berra -- bluca () comedia it
    System and Network Manager - CoMedia s.r.l.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]