Qt temporary files race condition in Knoppix 3.1

From: Hugo (overclocking_a_la_abuela_at_hotmail.com)
Date: 07/08/03

  • Next message: Mandrake Linux Security Team: "MDKSA-2003:073 - Updated unzip packages fix vulnerability"
    Date: 8 Jul 2003 15:48:51 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Qt libaries works with KDE. Knoppix 3.1 comes with KDE3. A default
    installation on hard disk of this live CD linux distribution with the SSHD
    daemon running may allow a serious D.o.S. attack and potential root
    compromise.

    I've found a race condition in knoppix 3.1 live CD. I've confirmed it on 2
    different installations on hard disk done with the "knx-hdinstall" tool.
    Procedure:
    1) After booting knoppix from the CD I set the root passwd
    2) I use knx-hdinstall

    Knoppix by default goes to init 5 at startup, so "kdm" is started.
    If you start a session with any user you can see:
    On /tmp you can see a directory ".qt" with this permissions:
    drwxr-xr-x root root
    Inside /tmp/.qt/ the are two files: "qt_plugins_3.0rc"
    and "qt_plugins_3.0rc.lock", both owned by root.

    The /tmp directory is world writable so it's trivial to exploit this flaw
    with a symlink attack.

    I have exploited it with a ".bash_profile" inside /home/knoppix/ with
    something like this:

    --------------- .bash_profile --------------------
    mkdir /tmp/.qt
    ln -s <file_owned_by_root> /tmp/.qt/qt_plugins3.0rc
    ---------------------------------------------------

    All you have to do is waiting for a reboot, then an automated script (I've
    been able to do it by hand) will try to log in via SSH with "knoppix" user
    before "kdm" is started (it's really easy) and your bash profile will be
    loaded. The symlink you created will force the overwriting of
    <file_owned_by_root>. D.o.S. is trivial: the attacker can overwrite any
    file in the system.

    Exploitation to get root privileges is harder but not imposible. Soon we
    will have some proof of concept exploit to show potential dangerous
    scenarios at:

    http://www.infohacking.com

    Regards,

    Hugo Vázquez Caramés
    hugo@infohacking.com


  • Next message: Mandrake Linux Security Team: "MDKSA-2003:073 - Updated unzip packages fix vulnerability"

    Relevant Pages

    • knx-hdinstall vs dist-upgrade. taking bets.
      ... I've decided to install Knoppix on my hard disk. ... before that this is a good way to get an initial installation of Debian ... Debian installation to a dist-upgraded modern Debian desktop including ...
      (Debian-User)
    • Re: Unable to log on
      ... type Control-D or enter root password' prompt. ... the system is dual boot & I can boot windows (or as I mentioned ... knoppix) and see that the drive is intact, so I'm thinking that when I ... first deleted files with knoppix I changed some permissions on the drive. ...
      (Ubuntu)
    • Re: fstab problems
      ... I tried sudo first then swithed to root on Knoppix. ... Knoppix mounts file systems read only for your protection. ... desktop icon to bring up a nice menu with a "Change read/write mode" ... This mounts the filesystem on the partition as read/write. ...
      (Fedora)
    • Re: [kde-linux] Instalation Help
      ... I recently discovered the Knoppix CD. ... Knoppix can also be installed on the hard disk using an installation script. ... partition space for Linux and Linux-swap partitions. ...
      (KDE)
    • Re: Knoppix install - How do I?
      ... Knoppix is designed to run from a CD, not to be installed on hard disk in ... but it's better to go for a proper Debian installation than to ... do the Knoppix one, since you end up with a kind of Debian hybrid. ...
      (comp.os.linux.setup)