home *** CD-ROM | disk | FTP | other *** search
- Date: Wed, 29 Apr 1998 12:39:19 +0200
- From: "|[TDP]|" <tdp@psynet.net>
- To: BUGTRAQ@NETSPACE.ORG
- Subject: Security hole in kppp
-
- I found an xploitable bug in my kppp application that comes with KDE
- env.
- Local user can execute malicious code to obtain root access/shell.
-
- gollum:~$ cd /usr/local/kde/bin
- gollum:/usr/local/kde/bin$ ls -la kppp
- -rwsr-xr-x 1 root root 262516 Mar 15 01:17 kppp*
- ( ^- suid!)
-
- gollum:/usr/local/kde/bin$ kppp -h
- kppp -- valid command line options:
- -h describe command line options
- -c account_name : connect to account account_name
- -q : quit after end of connection
- -r rule_file: check syntax of rule_file
-
- I discover that -c option is buggy and root xploitable buffer overflow.
-
-
- With 244 or < chars (X's) executes with out problems
-
- With 245 chars (X's) gives me an error
-
- gollum:/usr/local/kde/bin$ kppp -c
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- Virtual memory exceed in `new'
-
- With 246 or > (until about 1024) chars (X's) cause a core dump :)
-
- gollum:/usr/local/kde/bin$ kppp -c
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
- Segmentation fault (core dumped)
-
- ^^^^^^^^^^^^ Security hole... Dangerous, isn't it?
-
-
- Remove the suid bit or wait for a patch
-
- -=[ [TDP] - H-13 MeMBaH
- ]=-
- -=[
- tdp@psynet.net ]=-
-
