[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
From: Stefan Seifert <nine@xxxxxxxxxxxxxx>
Date: Sat, 07 Aug 2004 10:31:54 +0200

Jordan Pilat wrote:

A vulnerability exists in the implementation of placing the SuSE YAST Control Center in the K Menu. Normally, one would be required to authenticate as root before being granted access to the YAST Control Center. When placing the 'preferences' submenu in the K Menu (in the 'submenu' section under the 'Menus' tab of the K menu panel preferences), however, one can not only access, but make changes to the options in the YAST control center without having to authenticate as root.

You can change options, but cannot save them or install software. It will fail silently, or with dubious error messages.

I experienced this after upgrading, when I suddenly was not able to change network settings or install new packages when starting the yast modules from the K-menu. I first thought that graphical yast was broken until I realized that it never asked me for a root password.

So it's not so much a security bug as just a normal usability bug. It's just useless to start yast without root privileges.

Stefan Seifert

References:
- SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
  - From: Jordan Pilat

Prev by Date: Winmx Software making calls to Port 25
Next by Date: Re: CVS woes: .cvspass
Previous by thread: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
Next by thread: Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
Index(es):
- Date
- Thread