[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Security problems with kdesud
From:       Matthias Hoelzer-Kluepfel <mhk () caldera ! de>
Date:       2001-01-09 8:38:37
[Download RAW message or body]

On Tue, 9 Jan 2001, Thomas wrote:

> > kdesud has a rather big security problem as noted last  week on kde-cvs.
> > 
> > An attacker with an account on the system can create a /tmp/kdesud_<pid>_:0 
> > socket and wait for the user with <pid> to use kdesu to run a program as 
> > root. When the user selects 'Keep Password' the root password will be send
> > to the attacker.
> 
> What about simply unlinking it before you create a new one?

The you have another security problem, known as "/tmp race".
The attacker simply creates the socket in a loop, hoping that
his process will be scheduled between the time kdesud unlinks
and creates the new socket. Works better than one would think,
unfortunately.


Bye,
Matthias.

[prev in list] [next in list] [prev in thread] [next in thread]