[Konversation-devel] Re: konversation security bugs

Thu Jan 20 12:31:23 CET 2005

On Thursday 20 January 2005 12:46, Waldo Bastian wrote:

> * Evaluate the actual impact of the listed problems, can they be used by a
> bad guy to do harm? How?

Using a special crafted channel name and making user join it one can do two 
things :

- Execute one word commands like can run "kwrite","ls" etc but can't run "ls 
-al","rm -rf" etc due to the fact that channel names can't contain spaces

> * Get a CVE number (I can do that)
Ok, cool

> * Prepare a patch that fixes the problems.

http://janeway.no-ip.org/~cartman/kubuntu/security.diff

> * Review the patch to make sure it fixes all problems.

Yes its tested.

> * Decide whether you want to release a new version, the webpage above 
> > mentions konversation 0.15.1 but I don't see it mentioned on the 
> konversation download page. (Who makes the release for konversation?)

I did the release its on http://developer.berlios.de/projects/konversation

> * Prepare the advisory (anyone can do that, just take an entry from
> http://www.kde.org/info/security and use that as template)

Attached for review.

Regards,
ismail

-------------- next part --------------
KDE Security Advisory: Multiple vulnerabilities in Konversation
Original Release Date: 20050120
URL: http://www.kde.org/info/security/advisory-YYYYMMDD-X.txt

0. References
	http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html

1. Systems affected:

        All Konversation versions up to and including 0.15

2. Overview:

	The Server::parseWildcards function is buggy: to expand % variables, 
	it does a series of QString.replace's, so the value for one variable can contain another variable, 
	which will then be expanded too. 

	Perl scripts included with Konversation execute a command line 
	similar to: exec ("dcop $PORT Konversation say $SERVER \"$TARGET\" output"); 
	shell characters in $SERVER or $TARGET aren't escaped.

	Nick and password are confused in the quick connection dialog, 
	so connecting with that dialog and filling in a password, would use that password as nick

3. Impact:

	User might be tricked to join a channel which contains shell character in its name. If user runs
	a script in that channel it will result in an arbitrary command execution.

	If quick connect used with a password user nick contains the password and the password 
	used is nickname resulting in password exposure.

4. Solution:

	Upgrade to Konversation 0.15.1 (http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2)

5. Patch:

        A patch for Konversation 0.15 is available from http://janeway.no-ip.org/~cartman/kubuntu/security.diff

       	36f8b6beac18a9d173339388d13e2335  security.diff