[dot] KDE Security Advisory: URI Handler Vulnerabilities

Dot Stories stories at kdenews.org
Mon May 17 13:11:56 CEST 2004 

URL: http://dot.kde.org/1084792117/

From: Waldo Bastian <bastian at kde.org>
Dept: -dont-trust-hosts-that-start-with-dashes.com
Date: Monday 17/May/2004, @13:08

KDE Security Advisory: URI Handler Vulnerabilities
==================================================

   iDEFENSE  identified a vulnerability
[http://www.idefense.com/application/poi/display?id=104] in the Opera
Web Browser that could allow remote attackers to create or truncate
arbitrary files. The KDE team has found that similar vulnerabilities
exists in KDE.  The telnet, rlogin, ssh and mailto URI handlers in KDE
do not check for '-' at the beginning of the hostname passed, which
makes it possible to pass an option to the programs started by the
handlers.

       Original
Release Date: 2004-05-17 URL:
http://www.kde.org/info/security/advisory-20040517-1.txt
[http://www.kde.org/info/security/advisory-20040517-1.txt] 0. References
http://www.idefense.com/application/poi/display?id=104
[http://www.idefense.com/application/poi/display?id=104]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411]
http://www.securityfocus.com/archive/1/363225
[http://www.securityfocus.com/archive/1/363225] 1. Systems affected: All
versions of KDE up to KDE 3.2.2 inclusive.  2. Overview: iDEFENSE
identified a vulnerability in the Opera Web Browser that could allow
remote attackers to create or truncate arbitrary files. The KDE team has
found that similar vulnerabilities exists in KDE. The telnet, rlogin,
ssh and mailto URI handlers in KDE do not check for '-' at the beginning
of the hostname passed, which makes it possible to pass an option to the
programs started by the handlers. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0411 to
this issue. 3. Impact: A remote attacker could entice a user to open a
carefully crafted telnet URI which may either create or truncate a file
anywhere  where the victim has permission to do so. In KDE 3.2 and later
versions the user is first explicitly asked to confirm the opening of
the telnet URI. A remote attacker could entice a user to open a
carefully crafted mailto URI which may start the KMail program with its
display  redirected to a remote machine under control of the attacker.
An attacker can then use this to gain full access to the victims
personal files and account. An attacker could entice a user to open a
carefully crafted mailto URI which may start the KMail program using a
configuration file specified by the attacker. If the attacker is able to
install arbitrary files somewhere on the machine, the attacker can
include commands in the configuration file which will be executed with
the privileges of the victim allowing the attacker to gain full access
to the victims personal files and account. 4. Solution: Source code
patches have been made available which fix these vulnerabilities.
Contact your OS vendor / binary package provider for information about
how to obtain updated binary packages. 5. Patch: Patches for KDE 3.0.5b
are available from ftp://ftp.kde.org/pub/kde/security_patches
[ftp://ftp.kde.org/pub/kde/security_patches] : 
5c573853ec3f426d33c559958baa2169  post-3.0.5b-kdelibs-kapplication.patch
eaf9237b3af56b3b01df966b13fe2714 
post-3.0.5b-kdelibs-ktelnetservice.patch Patches for KDE 3.1.5 are
available from ftp://ftp.kde.org/pub/kde/security_patches
[ftp://ftp.kde.org/pub/kde/security_patches] : 
7c2bda942c4183d4163eb3f47f22e0bc  post-3.1.5-kdelibs-kapplication.patch
bde52aa0bba055c4f678540ec20bfe5a 
post-3.1.5-kdelibs-ktelnetservice.patch Patches for KDE 3.2.2 are
available from ftp://ftp.kde.org/pub/kde/security_patches
[ftp://ftp.kde.org/pub/kde/security_patches] : 
7cebc1abb3141287db618486fd679b32  post-3.2.2-kdelibs-kapplication.patch
52e0e955204a77781505d33b9a3c341d 
post-3.2.2-kdelibs-ktelnetservice.patch 6. Time line and credits:
02/04/2003 Exploit acquired by iDEFENSE 12/05/2004 Public disclosure of
Opera vulnerability 13/05/2004 KDE Team informed by Martin Ostertag
13/05/2004 Patches created 14/05/2004 Vendors notified 14/05/2004
Patches created for mailto problem. 17/05/2004 Public advisory

More information about the dot-stories mailing list