KDE unsecured TCP socket vulnerability

Summary
Description:the KDE desktop apparently uses network TCP sockets for process comunication instead of AF_UNIX domain sockets. The TCP sockets have no authentication, so you can send malicious commands to the port for copying files, etc.
Author:Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
Compromise:Subvert the user running KDE
Vulnerable Systems:Anything running unpatched KDE
Date:5 May 1997
Details


Date: Mon, 5 May 1997 19:47:35 +0100
From: Alan Cox <alan@LXORGUK.UKUU.ORG.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Hole in the KDE desktop

KDE is a sort of neat desktop built on the Qt widget class (see
http://www.kde.org). A word of warning to anyone running it however - the
file manager talks to the other modules over a basically unsecured TCP
socket. You can ask it to copy files and all sorts of lovely stuff.
Fortunately its not got any obvious major features (the file copy for example
is to their local disk). However if you can get a file onto their box (eg
into their anonymous ftp area) you can ask kfm to copy it to ~user/.rhosts

The fix appears to be to make the KDE software communicate over an AF_UNIX
socket and set file permissions appropriately on the socket name. This
requires you rebuild a fair chunk of the KDE software but the end result
seems to work as well as before.

I've tried reporting bugs to the KDE authors, all I got was abuse so I'll
log it here instead in the hope someone sensible from the KDE project reads
this.

Alan

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]