[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: kdesu overrides user's PATH with hardcoded path
From:       Oswald Buddenhagen <ossi () kde ! org>
Date:       2008-09-05 21:16:58
Message-ID: 20080905211658.GA28090 () ugly ! local
[Download RAW message or body]

On Fri, Sep 05, 2008 at 09:46:53AM -0700, Branan Riley wrote:
> > this makes no sense. when i break into a user's account, i can fully
> > control it, including kdesu itself. i.e., su-ing from a compromised
> > account is inherently insecure and no amount of breaking established
> > ways to legitimately influence the execution flow will fix the problem.
>
> You still need the root password to su from a user's account.
>
yes, and the admin will freely enter it into my trojanized (kde)su. not
to mention that my keylogger will get it. and why would i need it,
anyway? my kdesu will show one thing and execute a different one.

> Dropping a payload into part of their custom path is quite a bit
> easier.
>  
yes. it gains the attacker a few minutes if he was unprepared. seems
like a humongous difference, given that this is a "set up and wait an
indefinite amount of time" type attack ..

anyway, regular su also resets PATH. only that it is configurable
(nowadays via PAM), so it doesn't screw over the user (== admin).
to make things halfways sane, kdesu should only clean up the PATH from
"" and "." and pass it to kdesu_stub as-is. the latter would only append
it to whatever it got from su or ssh.
and the user changing code in kdesu_stub is quite 198x ...

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Confusion, chaos, panic - my work here is done.
 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]