Vulnerabilities > CVE-2005-2494 - Local Privilege Escalation vulnerability in KDE kcheckpass
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
kcheckpass in KDE 3.2.0 up to 3.4.2 allows local users to gain root access via a symlink attack on lock files.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 10 |
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2005-251-01.NASL description New kdebase packages are available for Slackware 10.0, 10.1, and -current to fix a security issue with the kcheckpass program. Earlier versions of Slackware are not affected. A flaw in the way the program creates lockfiles could allow a local attacker to gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 19861 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19861 title Slackware 10.0 / 10.1 / current : kcheckpass in kdebase (SSA:2005-251-01) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2005-251-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(19861); script_version("1.16"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2005-2494"); script_xref(name:"SSA", value:"2005-251-01"); script_name(english:"Slackware 10.0 / 10.1 / current : kcheckpass in kdebase (SSA:2005-251-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New kdebase packages are available for Slackware 10.0, 10.1, and -current to fix a security issue with the kcheckpass program. Earlier versions of Slackware are not affected. A flaw in the way the program creates lockfiles could allow a local attacker to gain root privileges." ); # http://www.kde.org/info/security/advisory-20050905-1.txt script_set_attribute( attribute:"see_also", value:"https://www.kde.org/info/security/advisory-20050905-1.txt" ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.367371 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?700a2028" ); script_set_attribute( attribute:"solution", value:"Update the affected kdebase package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:kdebase"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.1"); script_set_attribute(attribute:"patch_publication_date", value:"2005/09/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/10/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.0", pkgname:"kdebase", pkgver:"3.2.3", pkgarch:"i486", pkgnum:"3")) flag++; if (slackware_check(osver:"10.1", pkgname:"kdebase", pkgver:"3.3.2", pkgarch:"i486", pkgnum:"2")) flag++; if (slackware_check(osver:"current", pkgname:"kdebase", pkgver:"3.4.2", pkgarch:"i486", pkgnum:"2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-815.NASL description Ilja van Sprundel discovered a serious lock file handling error in kcheckpass that can, in some configurations, be used to gain root access. last seen 2020-06-01 modified 2020-06-02 plugin id 19711 published 2005-09-17 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19711 title Debian DSA-815-1 : kdebase - programming error NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-176-1.NASL description Ilja van Sprundel discovered a flaw in the lock file handling of kcheckpass. A local attacker could exploit this to execute arbitrary code with root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20586 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20586 title Ubuntu 5.04 : kdebase vulnerability (USN-176-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0582.NASL description Updated kdebase packages that resolve several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include the file manager Konqueror. Ilja van Sprundel discovered a lock file handling flaw in kcheckpass. If the directory /var/lock is writable by a user who is allowed to run kcheckpass, that user could gain root privileges. In Red Hat Enterprise Linux, the /var/lock directory is not writable by users and therefore this flaw could only have been exploited if the permissions on that directory have been badly configured. A patch to block this issue has been included in this update. (CVE-2005-2494) The following bugs have also been addressed : - kstart --tosystray does not send the window to the system tray in Kicker - When the customer enters or selects URLs in Firefox last seen 2020-06-01 modified 2020-06-02 plugin id 22222 published 2006-08-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22222 title RHEL 4 : kdebase (RHSA-2006:0582) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-160.NASL description Ilja van Sprundel from suresec.org notified the KDE security team about a serious lock file handling error in kcheckpass that can, in some configurations, be used to gain root access. In order for an exploit to succeed, the directory /var/lock has to be writeable for a user that is allowed to invoke kcheckpass. The updated packages have been patched to correct this problem. last seen 2020-06-01 modified 2020-06-02 plugin id 19915 published 2005-10-05 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19915 title Mandrake Linux Security Advisory : kdebase (MDKSA-2005:160) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0582.NASL description Updated kdebase packages that resolve several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. The kdebase packages provide the core applications for KDE, the K Desktop Environment. These core packages include the file manager Konqueror. Ilja van Sprundel discovered a lock file handling flaw in kcheckpass. If the directory /var/lock is writable by a user who is allowed to run kcheckpass, that user could gain root privileges. In Red Hat Enterprise Linux, the /var/lock directory is not writable by users and therefore this flaw could only have been exploited if the permissions on that directory have been badly configured. A patch to block this issue has been included in this update. (CVE-2005-2494) The following bugs have also been addressed : - kstart --tosystray does not send the window to the system tray in Kicker - When the customer enters or selects URLs in Firefox last seen 2020-06-01 modified 2020-06-02 plugin id 22277 published 2006-08-30 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22277 title CentOS 4 : kdebase (CESA-2006:0582)
Oval
| accepted | 2013-04-29T04:19:07.188-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | kcheckpass in KDE 3.2.0 up to 3.4.2 allows local users to gain root access via a symlink attack on lock files. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:9388 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | kcheckpass in KDE 3.2.0 up to 3.4.2 allows local users to gain root access via a symlink attack on lock files. | ||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- ftp://ftp.kde.org/pub/kde/security_patches/post-3.4.2-kdebase-kcheckpass.diff
- http://marc.info/?l=bugtraq&m=112603999215453&w=2
- http://marc.info/?l=bugtraq&m=112611555928169&w=2
- http://secunia.com/advisories/16692
- http://secunia.com/advisories/18139
- http://secunia.com/advisories/21481
- http://www.debian.org/security/2005/dsa-815
- http://www.kde.org/info/security/advisory-20050905-1.txt
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:160
- http://www.redhat.com/support/errata/RHSA-2006-0582.html
- http://www.securityfocus.com/bid/14736
- http://www.suresec.org/advisories/adv6.pdf
- http://www.ubuntu.com/usn/usn-176-1
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9388