Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: kreate.htm

Kreatecd root exploit




    Any system which has kreatecd installed as set-UID root


    Following is  based on  TESO Security  Advisory.   A vulnerability
    within the kreatecd application for Linux has been discovered.  An
    attacker can gain local root-access.

    This affects any  system which has  kreatecd installed as  set-UID
    root.   This  affects  also   a  configure;  make;  make   install
    procedure.  Among the vulnerable distributions (if the package  is
    installed) are the Halloween Linux Version 4 and SuSE 6.x.


        [stealth@liane stealth]$ stat `which kreatecd`
          File: "/usr/bin/kreatecd"
          Size: 229068       Filetype: Regular File
          Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
        Device:  3,1   Inode: 360053    Links: 1
        Access: Tue Mar 14 14:48:21 2000(00000.00:00:45)
        Modify: Tue Mar 14 14:48:21 2000(00000.00:00:45)
        Change: Tue Mar 14 14:48:21 2000(00000.00:00:45)
        [stealth@liane stealth]$ id
        uid=500(stealth) gid=500(stealth) groups=500(stealth)
        [stealth@liane stealth]$ /tmp/kreatur
        (... some diagnostic messages ...)
        Creating suid-maker...
        Creating boom-shell...
        Execute kreatecd and follow the menus:
        Configure -> Paths  -- change the path for cdrecord to /tmp/xxx
        Apply -> OK
        Configure -> SCSI -> OK
        Execute /tmp/boomsh
        (poking around with GUI...)
        [stealth@liane stealth]$ /tmp/boomsh
        [root@liane stealth]# id
        uid=0(root) gid=500(stealth) groups=500(stealth)
        [root@liane stealth]#

    An  attacker  may  gain  local  root-access  to  a  system   where
    vulnerable kreatecd  package is  installed. It  might be difficult
    for an  remote attacker  who gained  local user-access  due to the
    GUI-nature of the vulnerable program.

    Kreatecd which  runs with  the saved  user-id of  0 blindly trusts
    path's to cd-recording  software given by  unprivileged user.   It
    then invokes this software with EUID of 0 when user just clicks  a
    little bit around with the menus.

    The bug-discovery  and the  demonstration programs  are due  to S.
    Krahmer.  There's a  working demonstration program to  exploit the
    vulnerability.  The exploit is available from or


    The author and the distributor  has been informed before.   Remove
    the suid bit of kreatecd.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH