Vigil@nce: KDE, permission change via KDM
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use KDM to force a file to become world
writable.
– Severity: 2/4
– Creation date: 14/04/2010
DESCRIPTION OF THE VULNERABILITY
The KDM environment uses a control socket (/var/run/xdmctl/dmctl-$DISPLAY/socket).
When the user authenticates on KDM, the dmctl-$DISPLAY directory
is created, and a new socket is created. The mode of the socket is
then changed to 0666.
However, the user can replace the socket by a link to an arbitrary
file on the system. The mode of this file thus becomes 0666.
A local attacker can therefore use KDM to force a file to become
world writable. He can then acquire root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/KDE-permission-change-via-KDM-9586