[UNIX] KDE Temporary Directory Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/16/04

  • Next message: SecuriTeam: "[UNIX] DCOPServer Temporary Filename Vulnerability" 
    To: list@securiteam.com
Date: 16 Aug 2004 11:48:28 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      KDE Temporary Directory Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The SUSE security team was alerted that in some cases the integrity of
    symlinks used by KDE are not ensured and that these symlinks can be
    pointing to stale locations. This can be abused by a local attacker to
    create or truncate arbitrary files or to prevent KDE applications from
    functioning correctly (Denial of Service).

    KDE creates in ~/.kde symlinks to a temporary directory, a socket
    directory and a cache directory. When a user logs into the KDE environment
    the startkde script ensures that these symlinks are present and point to
    directories that are owned by the user. However, when a user runs KDE
    applications outside the KDE environment or when a user runs a KDE
    applications as another user, such as root, the integrity of these
    symlinks is not checked and it is possible that a previously created but
    now stale symlinks exist.

    DETAILS

    Systems affected:
     * All versions of KDE up to KDE 3.2.3 inclusive

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689>
    CAN-2004-0689

    Impact:
    When a stale symlink is present a local attacker could create the
    directory that the symlink is pointing to with his own credentials to
    prevent access to this directory by KDE applications. This can prevent KDE
    applications from functioning correctly.

    When a stale symlink is present a local attacker could create the
    directory that the symlink is pointing to with his own credentials. Since
    KDE applications will attempt to create files with certain known names in
    this directory, an attacker can abuse this to overwrite arbitrary files
    with the privileges of the user.

    Solution:
    Source code patches have been made available which fix these
    vulnerabilities. Contact your OS vendor / binary package provider for
    information about how to obtain updated binary packages.

    Time line and credits:
    23/06/2004 SUSE Security Team alerted by Andrew Tuitt
    26/06/2004 Patches created
    27/07/2004 Vendors notified
    11/08/2004 Public advisory

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:bastian@kde.org> Waldo
    Bastian.
    The original article can be found at:
    <http://www.kde.org/info/security/advisory-20040811-1.txt>
    http://www.kde.org/info/security/advisory-20040811-1.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] DCOPServer Temporary Filename Vulnerability"

    Relevant Pages