calling programs with relative paths = vulnerable

[GoogleCodeExporter]

logkeys uses shell scripting to extract certain information about the
system, e.g.

 "grep Name /proc/bus/input/devices | grep -nE '[Kk]eyboard|kbd'"

command string is used to extract event device number.

As logkeys is installed setuid root, the attacker could

 $ mv malicious_file.sh /home/attacker/attack_dir/grep
 $ PATH=/home/attacker/attack_dir:$PATH

and then run logkeys, which will upon execution of above command string run
the attackers malicious file with root permissions.

Proposed fix:

Use absolute program paths, e.g.

 "/bin/grep Name /proc/bus/input/devices | /bin/grep -nE '[Kk]eyboard|kbd'"

Also, logkeys shouldn't be setuid root, instead setuid the helper scripts
(lkl, lklk), which can also be run by anyone, but only configured by system
owner.

Original issue reported on code.google.com by kernc...@gmail.com on 22 Apr 2010 at 3:55

[GoogleCodeExporter]

hopefully fixed in r41

Original comment by kernc...@gmail.com on 22 Apr 2010 at 4:02

• Changed state: Fixed
• Added labels: ****
• Removed labels: ****

[GoogleCodeExporter]

god, fuck me, what everything one has to go through to make shell scripts 
setuid root.
I do [mostly] understand why, but it's still a hassle. :)

well, anyway, *llk* and *llk* are not scripts anymore, but setuid root programs 
that
issue logkeys-start.sh and logkeys-kill.sh respectively (r42)!

sheesh!

Original comment by kernc...@gmail.com on 22 Apr 2010 at 7:37

• Added labels: ****
• Removed labels: ****