While 'playing' with my recently installed RedHat 8 I discovered a big security leak, this was 1 month ago.
28 january 2002, 22.00h Standard European time. to be correct

I notified RedHat immediatly after speaking with MsMittens in the AO chatroom. She added some nice possible applications of the bug, I tested those and they worked. So the bug was more dangerous then on first sight.

Enough background info... what's the problem?

Well, people using RedHat 8.0 and X with Gnome should have noticed that they can use the new Redhat authentication tool with the key icon in the notify menu. (that displays the hour and stuff) the so called: Tray icons in Windows. Redhat made it possible to change something while not logged in as root in the graphical shell and becoming root. If you want to do something you need to be root for, RedHat asks for a password. If the correct password is given, RedHat creates the key icon in the tray so you don't need to type the password al the time. With other words admins can easily change some basic settings using the graphical shell and users account. The key icon stays there until it times out or you disable it. And now comes the problem. When the root person logs off the X shell (ran by the normal user), and the normal user logs back in -> tada -> the key icon is still there !!!!! boom root access for that particular user in all the graphical RedHat environnement. Cause RH mad eit possible to add users and groups from there, a smart user can create another user with root permisses and give his new root user not only a local backdoor but also a remote access. w00t. remote root exploit created.

So my main solution for this error: make sure whenever you use root that you disable the key icon in the tray.

My email to RedHat:

hi,

There's a possible root vulnerability using Gnome in Redhat 8.0 (Psyche) Kernel 2.4.18-14, Gnome 2

It's related to the new RedHat 8.0 Authentication function.
The problem is that when you log in as a normal user and after that an admin / root user changes something on the box using the authentication function, the keys icon is in the tray. If the admin then logs out without choosing "forget authorisation" and the normal user logs back in, the keys are still there.
In other words: in that case a normal user has local root access without providing the root password.

Reproducible? Always

steps to reproduce:
1) login as a normal user in the full GUI
2) a root user changes some settings using the new authentication function (the keys appear in the system tray)
3) he logs out without clicking on the keys icon and choosing "forget authorisation"
4) log in as the normal user from step 1
5) you have root priviliges in Gnome (the keys are still in the tray)

It seems that the default is "keep authorisation" when IMHO it should be forget authorisation when you log out.

I hope this mail makes clear what the bug is, otherwise feel free to contact me.

Their response so far:

Hi Victor, thanks for contacting us.

This is a quick note to say that we received your report and that we'll
take a look at it this week. Once we've investigated we'll get back to
you.

Thanks, Mark
-- Mark J Cox / Security Response Team / Red Hat


--> to the people from redhat, this is by no means an attack to redhat or something similar, I know you people are working hard to solve all kinds of probs, and I appreciate the fast email back I got. It seems however that a solution is not to be expected to fast and therefor I wanted to drop this vulnerability warning to the admins out there mainly because of the simplicity to use this.

However a Skriptkiddie can do nothing with this, cause you need to first have the luck that an admin logs out with your account after a root authentication in redhat 8.0 graphical desktop.

VK