KDE, the K Desktop Environment provides an integrated graphical
desktop environment for UNIX workstations, was found to be vulnerable to multiply root compromises.
KDE was found to be vulnerable to the following things:
1) Implicit trust of the ".kss.pid" file's content.
2) A race condition while KDE locates "kblankscrn.kss".
3) Implicit trust of the KDEDIR environment variable.
4) Implicit trust of the HOME environment variable.
1) Implicit trust of the ".kss.pid" file's content.
This caused klock to kill any process marked by the content of the file ".kss.pid", this can be easily exploited by running the following code:
setenv HOME "/tmp"
echo thepid > /tmp/.kss.pid
klock
2) A race condition while KDE locates "kblankscrn.kss".
By changing the content of "kblankscrn.kss" to a script like this:
#!/bin/sh
echo Running script as `whoami`!
exit
You will see the following when you execute klock:
user@hostname:/home/user> /opt/kde/bin/klock
user@hostname:/home/user> Running script as root!
3) Implicit trust of the KDEDIR environment variable.
Klock uses KDEDIR as reference to where it starts looking for screen savers, if KDE points to a user defined directory, arbitrary commands can be ran as root, an example script follows:
setenv KDEDIR /tmp
echo "#!/bin/sh" > /tmp/kblankscrn.kss
echo "id" >> /tmp/blankscrn.kss
chmod +x /tmp/blankscrn.kss
klock
4) Implicit trust of the HOME environment variable.
When kppp starts up, it uses the HOME environment variable as a point of reference to where it creates its files (log files & configuration files), this can be set by a malicious user, to whatever directory he wants, making kppp overwrite other people's kppp settings.
