BugTraq
Back to list
|
Post reply
Qt temporary files race condition in Knoppix 3.1
Jul 08 2003 03:48PM
Hugo Vázquez Caramés (overclocking_a_la_abuela hotmail com)
Qt libaries works with KDE. Knoppix 3.1 comes with KDE3. A default
installation on hard disk of this live CD linux distribution with the SSHD
daemon running may allow a serious D.o.S. attack and potential root
compromise.
I've found a race condition in knoppix 3.1 live CD. I've confirmed it on 2
different installations on hard disk done with the "knx-hdinstall" tool.
Procedure:
1) After booting knoppix from the CD I set the root passwd
2) I use knx-hdinstall
Knoppix by default goes to init 5 at startup, so "kdm" is started.
If you start a session with any user you can see:
On /tmp you can see a directory ".qt" with this permissions:
drwxr-xr-x root root
Inside /tmp/.qt/ the are two files: "qt_plugins_3.0rc"
and "qt_plugins_3.0rc.lock", both owned by root.
The /tmp directory is world writable so it's trivial to exploit this flaw
with a symlink attack.
I have exploited it with a ".bash_profile" inside /home/knoppix/ with
something like this:
--------------- .bash_profile --------------------
mkdir /tmp/.qt
ln -s <file_owned_by_root> /tmp/.qt/qt_plugins3.0rc
---------------------------------------------------
All you have to do is waiting for a reboot, then an automated script (I've
been able to do it by hand) will try to log in via SSH with "knoppix" user
before "kdm" is started (it's really easy) and your bash profile will be
loaded. The symlink you created will force the overwriting of
<file_owned_by_root>. D.o.S. is trivial: the attacker can overwrite any
file in the system.
Exploitation to get root privileges is harder but not imposible. Soon we
will have some proof of concept exploit to show potential dangerous
scenarios at:
http://www.infohacking.com
Regards,
Hugo Vázquez Caramés
hugo (at) infohacking (dot) com [email concealed]
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Qt libaries works with KDE. Knoppix 3.1 comes with KDE3. A default
installation on hard disk of this live CD linux distribution with the SSHD
daemon running may allow a serious D.o.S. attack and potential root
compromise.
I've found a race condition in knoppix 3.1 live CD. I've confirmed it on 2
different installations on hard disk done with the "knx-hdinstall" tool.
Procedure:
1) After booting knoppix from the CD I set the root passwd
2) I use knx-hdinstall
Knoppix by default goes to init 5 at startup, so "kdm" is started.
If you start a session with any user you can see:
On /tmp you can see a directory ".qt" with this permissions:
drwxr-xr-x root root
Inside /tmp/.qt/ the are two files: "qt_plugins_3.0rc"
and "qt_plugins_3.0rc.lock", both owned by root.
The /tmp directory is world writable so it's trivial to exploit this flaw
with a symlink attack.
I have exploited it with a ".bash_profile" inside /home/knoppix/ with
something like this:
--------------- .bash_profile --------------------
mkdir /tmp/.qt
ln -s <file_owned_by_root> /tmp/.qt/qt_plugins3.0rc
---------------------------------------------------
All you have to do is waiting for a reboot, then an automated script (I've
been able to do it by hand) will try to log in via SSH with "knoppix" user
before "kdm" is started (it's really easy) and your bash profile will be
loaded. The symlink you created will force the overwriting of
<file_owned_by_root>. D.o.S. is trivial: the attacker can overwrite any
file in the system.
Exploitation to get root privileges is harder but not imposible. Soon we
will have some proof of concept exploit to show potential dangerous
scenarios at:
http://www.infohacking.com
Regards,
Hugo Vázquez Caramés
hugo (at) infohacking (dot) com [email concealed]
[ reply ]