[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Insecure directory handling in KFM file manager

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Insecure directory handling in KFM file manager
From: Paul Starzetz <paul@STARZETZ.DE>
Date: Wed, 18 Apr 2001 21:40:49 +0200

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hi,

there is a symlink/owner problem in the KDE file manager kfm. I found it
on my SuSE 7.0 but I'm not sure if it is an original SuSE package or
not, rpm doesn't know about it:

paul@ps:/tmp > rpm -qfi /usr/opt/kde/bin/kfm
die Datei »/usr/opt/kde/bin/kfm« gehört zu keinem Paket 

what means that the kfm binary is not known to rpm. However, I suspect
that it is included in all KDE1 distributions.

kfm will create a cache directory in /tmp without checking for correct
onwership named kfm-cache-UID where UID is the numerical user id. Then
it will write to files in the cache dir, for example:



root@ps:/tmp/kfm-cache-500 > ls -la
drwxrwxrwx   2 rws      uboot        4096 Apr 18 21:18 .
drwxrwxrwt  15 root     root       770048 Apr 18 21:16 ..
lrwxrwxrwx   1 rws      uboot          18 Apr 18 21:18 index.html ->
/home/paul/.bashrc
-rw-r--r--   1 rws      uboot           0 Apr 18 21:16 index.txt

root@ps:/tmp/kfm-cache-500 > ls -la /home/paul/.bashrc
-rw-r--r--   1 paul     users        1458 Jan 23 13:56
/home/paul/.bashrc


and after running kfm as user 500:

root@ps:/tmp/kfm-cache-500 > ls -la /home/paul/.bashrc
-rw-r--r--   1 paul     users         271 Apr 18 21:19
/home/paul/.bashrc


The impact is obvious :-/

Ihq.

Prev by Date: Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)
Next by Date: Re: PIX Firewall 5.1 DoS Vulnerability
Prev by thread: Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)
Next by thread: Re: PIX Firewall 5.1 DoS Vulnerability
Index(es):
- Date
- Thread