[UNIX] KDE Temporary Directory Vulnerability

• Previous message: SecuriTeam: "[TOOL] WAL - Web Audit Library"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 16 Aug 2004 11:48:28 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  KDE Temporary Directory Vulnerability
------------------------------------------------------------------------

SUMMARY

The SUSE security team was alerted that in some cases the integrity of
symlinks used by KDE are not ensured and that these symlinks can be
pointing to stale locations. This can be abused by a local attacker to
create or truncate arbitrary files or to prevent KDE applications from
functioning correctly (Denial of Service).

KDE creates in ~/.kde symlinks to a temporary directory, a socket
directory and a cache directory. When a user logs into the KDE environment
the startkde script ensures that these symlinks are present and point to
directories that are owned by the user. However, when a user runs KDE
applications outside the KDE environment or when a user runs a KDE
applications as another user, such as root, the integrity of these
symlinks is not checked and it is possible that a previously created but
now stale symlinks exist.

DETAILS

Systems affected:
 * All versions of KDE up to KDE 3.2.3 inclusive

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689>
CAN-2004-0689

Impact:
When a stale symlink is present a local attacker could create the
directory that the symlink is pointing to with his own credentials to
prevent access to this directory by KDE applications. This can prevent KDE
applications from functioning correctly.

When a stale symlink is present a local attacker could create the
directory that the symlink is pointing to with his own credentials. Since
KDE applications will attempt to create files with certain known names in
this directory, an attacker can abuse this to overwrite arbitrary files
with the privileges of the user.

Solution:
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider for
information about how to obtain updated binary packages.

Time line and credits:
23/06/2004 SUSE Security Team alerted by Andrew Tuitt
26/06/2004 Patches created
27/07/2004 Vendors notified
11/08/2004 Public advisory

ADDITIONAL INFORMATION

The information has been provided by <mailto:bastian@kde.org> Waldo
Bastian.
The original article can be found at:
<http://www.kde.org/info/security/advisory-20040811-1.txt>
http://www.kde.org/info/security/advisory-20040811-1.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] WAL - Web Audit Library"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]