Fwd: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCALROOT EXPLOIT

Adrian Schroeter adrian at suse.de
Mon Jul 8 07:41:58 BST 2002


On Mon, 8 Jul 2002, Adrian Schroeter wrote:
> On Mon, 8 Jul 2002, Adrian Schroeter wrote:
> > On Mon, 8 Jul 2002, Andreas Pour wrote:
> > > Adrian Schroeter wrote:
> > > >
> > > > On Sun, 7 Jul 2002, Waldo Bastian wrote:
> > > > > My first impression is that the affected code doesn't run with root privs at
> > > > > all, the only thing that could be exploited are the real-time privs IMO (I
> > > > > guess that allows for a local DOS)
> > > >
> > > > Yes, root-permissions are dropped before the sig11 happened. It is not a
> > > > security problem, George said the same on IRC yesterday.
> > >
> > > Hi,
> > >
> > > The problem is, the root permissions are not irrevocably dropped.  When
> > > you use "seteuid(getuid())", the very same program can later
> > > "seteuid(0)", and restore itself to the root effective uid.  So it's
> > > just a matter of putting that call into your exploit code.  Try the
> > > attached to see what I mean.
> > >
> > > To lose the ability to "return" to the prior effective uid, use
> > > setuid(), as the patch does.
>
> Sorry, but the attached patch in Waldos mail does not do that, it only fix
> one buffer overflow.

And it was a "setreuid" call in the past, which would be okay.
(I wondered why we didn't saw this during a review ;)

So effected KDE releases are "only" 2.1 - 3.0.2.

bye
adrian

**********************************************************************
Adrian Schroeter
SuSE AG, Deutschherrnstr. 15-19, 90429 Nuernberg, Germany
email: adrian at suse.de   (184 mails already received today.)






More information about the kde-core-devel mailing list