Home page logo

bugtraq logo Bugtraq mailing list archives

Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
From: Stefan Seifert <nine () detonation org>
Date: Sat, 07 Aug 2004 10:31:54 +0200

Jordan Pilat wrote:

A vulnerability exists in the implementation of placing the SuSE YAST Control Center in the K Menu. Normally, one would be required to authenticate as root before being granted access to the YAST Control Center. When placing the 'preferences' submenu in the K Menu (in the 'submenu' section under the 'Menus' tab of the K menu panel preferences), however, one can not only access, but make changes to the options in the YAST control center without having to authenticate as root.
You can change options, but cannot save them or install software. It will fail silently, or with dubious error messages.

I experienced this after upgrading, when I suddenly was not able to change network settings or install new packages when starting the yast modules from the K-menu. I first thought that graphical yast was broken until I realized that it never asked me for a root password.

So it's not so much a security bug as just a normal usability bug. It's just useless to start yast without root privileges.

Stefan Seifert

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]