[Konversation-devel] Re: konversation security bugs

Waldo Bastian bastian at suse.com
Thu Jan 20 15:59:32 CET 2005


On Thursday 20 January 2005 12:31, Ismail Donmez wrote:
> On Thursday 20 January 2005 12:46, Waldo Bastian wrote:
> > * Evaluate the actual impact of the listed problems, can they be used by
> > a bad guy to do harm? How?
>
> Using a special crafted channel name and making user join it one can do two
> things :
>
> - Execute one word commands like can run "kwrite","ls" etc but can't run
> "ls -al","rm -rf" etc due to the fact that channel names can't contain
> spaces

The trick around that tends to be "ls${IFS}-al" etc. 

> > * Get a CVE number (I can do that)
>
> Ok, cool
>
> > * Prepare a patch that fixes the problems.
>
> http://janeway.no-ip.org/~cartman/kubuntu/security.diff
>
> > * Review the patch to make sure it fixes all problems.
>
> Yes its tested.

Why are the scripts using "system" at certain places and "exec" at others?

> > * Decide whether you want to release a new version, the webpage above
> >
> > > mentions konversation 0.15.1 but I don't see it mentioned on the
> >
> > konversation download page. (Who makes the release for konversation?)
>
> I did the release its on http://developer.berlios.de/projects/konversation

http://extragear.kde.org/apps/konversation/ points to
http://sourceforge.net/project/showfiles.php?group_id=53539

You may want to add it there as well then.

> > * Prepare the advisory (anyone can do that, just take an entry from
> > http://www.kde.org/info/security and use that as template)
>
> Attached for review.

> 2. Overview:
> 
>     The Server::parseWildcards function is buggy: to expand % variables, 
>     it does a series of QString.replace's, so the value for one variable can
>     contain another variable, which will then be expanded too.  

I think that's a bit too much detail. I would go with something like:

	A flaw in the expansion of %-escaped variables makes that %-escaped
	variables in certain input strings will be inadvertently expanded too.

>       Perl scripts included with Konversation execute a command line 
>       similar to: exec ("dcop $PORT Konversation say $SERVER \"$TARGET\" 
output"); 
>         shell characters in $SERVER or $TARGET aren't escaped.

Here too I would cut down on the technical stuff:
	Several perl scripts included with Konversation fail to properly handle
	command line arguments causing a command line injection vulnerability.

Wouter writes on http://wouter.coekaerts.be/konversation.html : "A song with a 
strange name may also cause command execution with the media script.", how 
would that work? Would the user need to select that song himself on the 
command line or via the file dialog, or could someone else send it to him?

>      Nick and password are confused in the quick connection dialog, 
>      so connecting with that dialog and filling in a password, would use
>      that password as nick 

I would add:
	and may inadvertently expose the password to others.

And at the top something like:
	Multiple vulnerabilities have been discovered in Konversation, an IRC client
	for KDE.
  
> 3. Impact:
> 
>        User might be tricked to join a channel which contains shell
>        character in its name.

I suggest:
	A user might be tricked to join a channel with a specially crafted
	channel name containing shell commands.

>        If user runs  
>        a script in that channel it will result in an arbitrary command
>        execution. 

Is it clear to users when they run a script? (e.g. do you need to enter 
something like /script ?) If some commands are handled internally and some by 
scripts the user will most likely not be aware of the difference, in that 
case I would say:
	If the user invokes certain actions in such channel this may result in
        the execution of the shell commands contained in the channel name.

>    If quick connect used with a password user nick contains the password and
>    the password used is nickname resulting in password exposure.

	If quick connect is used with a password, the password is used as nickname
        instead. As a result the password may be exposed to others.

> 5. Patch:
>
>        A patch for Konversation 0.15 is available from 
>http://janeway.no-ip.org/~cartman/kubuntu/security.diff
>
>        36f8b6beac18a9d173339388d13e2335  security.diff

I would put it on ftp://ftp.kde.org/pub/kde/security_patches and name it 
something like post-0.15-konversation.diff to be in line with the other 
patches there.

Do you know a timeline? I guess something like:

6. Time line and credits:

        18/01/2005 Konversation developers informed by Wouter Coekaerts
        19/01/2005 Patches applied to KDE CVS.
        19/01/2005 Konversation 0.15.1 released.
        20/01/2005 KDE Security Advisory released.


Cheers,
Waldo
-- 
bastian at kde.org   |   Free Novell Linux Desktop 9 Evaluation Download
bastian at suse.com  |   http://www.novell.com/products/desktop/eval.html



More information about the Konversation-devel mailing list