COMMAND

    kppp

SYSTEMS AFFECTED

    Linux

PROBLEM

    "|[TDP]|"  found  an  xploitable  bug  in my kppp application that
    comes with  KDE env.   Local user  can execute  malicious code  to
    obtain root access/shell.

        gollum:~$ cd /usr/local/kde/bin
        gollum:/usr/local/kde/bin$ ls -la kppp
        -rwsr-xr-x   1 root     root       262516 Mar 15 01:17 kppp*
        ( ^- suid!)

        gollum:/usr/local/kde/bin$ kppp -h
        kppp -- valid command line options:
         -h describe command line options
         -c account_name : connect to account account_name
         -q : quit after end of connection
         -r rule_file: check syntax of rule_file

    -c option is buggy and root xploitable buffer overflow.  With 244
    or < chars (X's) executes with out problems.  With 245 chars
    (X's) gives an error:

        gollum:/usr/local/kde/bin$ kppp -c
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        Virtual memory exceed in `new'

    With 246 or > (until about 1024) chars (X's) cause a core dump.

        gollum:/usr/local/kde/bin$ kppp -c
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

        Segmentation fault (core dumped)

SOLUTION

    Users of kppp in  a security sensitive environment  should upgrade
    to kppp-1.1.3.   However, users  of kppp  in a  security sensitive
    environment are also urged not to run kppp SETUID root, but rather
    to  create  a  modem  group.   kppp-1.1.3  is  available  in   the
    kdenetwork package in the  snapshots directory on ftp.kde.org  and
    its mirrors.