Tuesday, February 14, 2012

CVE-2011-2921 and ktsuss

ktsuss is a setuid that works more or less like a graphical "su". Lets install it on Maverick and play around with it.




Hmm.


What if...



O..k doesn't look good - not something I'd expect from a setuid binary(not this easily anyway). Looking at the CVE description, it seems that if the current user and the user which we specify in ktsuss are the same, the command runs with the EUID(with root privileges). :|
Yeah... thats bad. :|

equinox@VMubuntu:~$ ktsuss -u equinox whoami
root
Looking at the Debian discussion it seems like the package is being scheduled for removal - without providing any patches for the current version which has the package(Well, I think the responsible thing to do would be to remove the package and provide a patch for existing users).


So, unless I'm missing something obvious, the patch for this issue would be a seteuid(getuid()). You can view the LP bug for this issue here.

No comments:

Post a Comment