KDE unsecured TCP socket vulnerability
| Description: | the KDE desktop apparently uses network TCP sockets for process comunication instead of AF_UNIX domain sockets. The TCP sockets have no authentication, so you can send malicious commands to the port for copying files, etc. |
| Author: | Alan Cox <alan@LXORGUK.UKUU.ORG.UK> |
| Compromise: | Subvert the user running KDE |
| Vulnerable Systems: | Anything running unpatched KDE |
| Date: | 5 May 1997 |
Date: Mon, 5 May 1997 19:47:35 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Hole in the KDE desktop
KDE is a sort of neat desktop built on the Qt widget class (see
http://www.kde.org). A word of warning to anyone running it however - the
file manager talks to the other modules over a basically unsecured TCP
socket. You can ask it to copy files and all sorts of lovely stuff.
Fortunately its not got any obvious major features (the file copy for example
is to their local disk). However if you can get a file onto their box (eg
into their anonymous ftp area) you can ask kfm to copy it to ~user/.rhosts
The fix appears to be to make the KDE software communicate over an AF_UNIX
socket and set file permissions appropriately on the socket name. This
requires you rebuild a fair chunk of the KDE software but the end result
seems to work as well as before.
I've tried reporting bugs to the KDE authors, all I got was abuse so I'll
log it here instead in the hope someone sensible from the KDE project reads
this.
Alan
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
