Fwd: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCALROOT EXPLOIT

Stefan Westerfeld stefan at space.twc.de
Tue Jul 9 14:53:26 BST 2002


   Hi!

On Mon, Jul 08, 2002 at 01:16:24AM -0500, Andreas Pour wrote:
> > On Sun, 7 Jul 2002, Waldo Bastian wrote:
> > > My first impression is that the affected code doesn't run with root privs at
> > > all, the only thing that could be exploited are the real-time privs IMO (I
> > > guess that allows for a local DOS)
> > 
> > Yes, root-permissions are dropped before the sig11 happened. It is not a
> > security problem, George said the same on IRC yesterday.
> 
> The problem is, the root permissions are not irrevocably dropped.  When
> you use "seteuid(getuid())", the very same program can later
> "seteuid(0)", and restore itself to the root effective uid.  So it's
> just a matter of putting that call into your exploit code.  Try the
> attached to see what I mean.

There is still no exploit (according to Olaf Kirch). The root permissions
are mostly dropped with seteuid(getuid()) ; as you say, they could be revoked
at this point. But as soon as artswrapper exec()s artsd, the real and saved
ids are set to the effective id (according to Olaf Kirch, again), so that
you can't revoke root permissions thereafter.

But if you can show me a patch to artsd that revokes root permissions there,
after being exec'd by a non-root user from the suid artswrapper, I would
believe you, because then, it would be exploitable ;).

   Cu... Stefan
-- 
  -* Stefan Westerfeld, stefan at space.twc.de (PGP!), Hamburg/Germany
     KDE Developer, project infos at http://space.twc.de/~stefan/kde *-         




More information about the kde-core-devel mailing list