2007-10-13 10:53:53 |
Andrea Corbellini |
description |
Steps to reproduce the bug:
1. Go to ~/.local/share/applications.
2. With a text editor, open a desktop entry of a program that needs root access, such as Synaptic.
3. Replace the «Exec» field with:
Exec=gksu touch /hello
4. Open the entry you have modified
5. The "hello" file will magically appear
If instead of "touch /hello" I wrote "rm /*" what will happen? |
Description:
With a corrupted menu entry in ~/.local/share/applications I can deceive a distracted user and have root access when he clicks on the entry.
Steps to reproduce the bug:
1. Go to ~/.local/share/applications.
2. With a text editor, open a desktop entry of a program that needs root access, such as Synaptic.
3. Replace the «Exec» field with:
Exec=gksu touch /hello
4. Open the entry you have modified
What appens:
A distracted user can insert the password without notice (especially if I use gksu --description and --message options to shadow the command) and the hello file will appear in /.
What's the matter?
For example, if instead of "touch /hello" I wrote "rm /*" all file will be destroyed. Also, I can put a trojan and control all the system. To corrupt the icon I can create a simple program (also a bash script) and if I spread it on the network it can be very dangerous! |
|