TUCoPS :: Linux :: Apps A-M :: kreate.htm


TUCoPS :: Linux :: Apps A-M :: kreate.htm

Kreatecd root exploit 
Vulnerability
 kreatecd
Affected
 Any system which has kreatecd installed as set-UID root
Description
 Following is based on TESO Security Advisory. A vulnerability
 within the kreatecd application for Linux has been discovered. An
 attacker can gain local root-access.
 This affects any system which has kreatecd installed as set-UID
 root. This affects also a configure; make; make install
 procedure. Among the vulnerable distributions (if the package is
 installed) are the Halloween Linux Version 4 and SuSE 6.x.
 Tests:
 [stealth@liane stealth]$ stat `which kreatecd`
 File: "/usr/bin/kreatecd"
 Size: 229068 Filetype: Regular File
 Mode: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
 Device: 3,1 Inode: 360053 Links: 1
 Access: Tue Mar 14 14:48:21 2000(00000.00:00:45)
 Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45)
 Change: Tue Mar 14 14:48:21 2000(00000.00:00:45)
 [stealth@liane stealth]$ id
 uid=500(stealth) gid=500(stealth) groups=500(stealth)
 [stealth@liane stealth]$ /tmp/kreatur
 (... some diagnostic messages ...)
 Creating suid-maker...
 Creating boom-shell...
 
 Execute kreatecd and follow the menus:
 Configure -> Paths -- change the path for cdrecord to /tmp/xxx
 Apply -> OK
 Configure -> SCSI -> OK
 
 Execute /tmp/boomsh
 
 
 BEHAVE!
 
 (poking around with GUI...)
 [stealth@liane stealth]$ /tmp/boomsh
 [root@liane stealth]# id
 uid=0(root) gid=500(stealth) groups=500(stealth)
 [root@liane stealth]#
 An attacker may gain local root-access to a system where
 vulnerable kreatecd package is installed. It might be difficult
 for an remote attacker who gained local user-access due to the
 GUI-nature of the vulnerable program.
 Kreatecd which runs with the saved user-id of 0 blindly trusts
 path's to cd-recording software given by unprivileged user. It
 then invokes this software with EUID of 0 when user just clicks a
 little bit around with the menus.
 The bug-discovery and the demonstration programs are due to S.
 Krahmer. There's a working demonstration program to exploit the
 vulnerability. The exploit is available from
 http://teso.scene.at/ or https://teso.scene.at/
 http://www.cs.uni-potsdam.de/homepages/students/linuxer
Solution
 The author and the distributor has been informed before. Remove
 the suid bit of kreatecd.

AltStyle によって変換されたページ (->オリジナル) /

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH