Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps N-Z :: bt562.txt

Qt temporary files race condition in Knoppix 3.1

Qt libaries works with KDE. Knoppix 3.1 comes with KDE3. A default 

installation on hard disk of this live CD linux distribution with the SSHD 

daemon running may allow a serious D.o.S. attack and potential root 


I've found a race condition in knoppix 3.1 live CD. I've confirmed it on 2 

different installations on hard disk done with the "knx-hdinstall" tool.


1) After booting knoppix from the CD I set the root passwd

2) I use knx-hdinstall

Knoppix by default goes to init 5 at startup, so "kdm" is started.

If you start a session with any user you can see:

On /tmp you can see a directory ".qt" with this permissions:

drwxr-xr-x root root 

Inside /tmp/.qt/ the are two files: "qt_plugins_3.0rc" 

and "qt_plugins_3.0rc.lock", both owned by root.

The /tmp directory is world writable so it's trivial to exploit this flaw 

with a symlink attack.

I have exploited it with a ".bash_profile" inside /home/knoppix/ with 

something like this:

--------------- .bash_profile --------------------

mkdir /tmp/.qt

ln -s <file_owned_by_root> /tmp/.qt/qt_plugins3.0rc


All you have to do is waiting for a reboot, then an automated script (I've 

been able to do it by hand) will try to log in via SSH with "knoppix" user 

before "kdm" is started (it's really easy) and your bash profile will be 

loaded. The symlink you created will force the overwriting of 

<file_owned_by_root>. D.o.S. is trivial: the attacker can overwrite any 

file in the system.

Exploitation to get root privileges is harder but not imposible. Soon we 

will have some proof of concept exploit to show potential dangerous 

scenarios at:


Hugo Vázquez Caramés

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH