[Konversation-devel] Re: konversation security bugs

Ismail Donmez ismail at kde.org.tr
Thu Jan 20 16:33:22 CET 2005 

On Thursday 20 January 2005 16:59, you wrote:
> > Using a special crafted channel name and making user join it one can do
> > two things :
> >
> > - Execute one word commands like can run "kwrite","ls" etc but can't run
> > "ls -al","rm -rf" etc due to the fact that channel names can't contain
> > spaces
>
> The trick around that tends to be "ls${IFS}-al" etc.

Ugh that makes the issue more serious

>
> > > * Get a CVE number (I can do that)
> >
> > Ok, cool
> >
> > > * Prepare a patch that fixes the problems.
> >
> > http://janeway.no-ip.org/~cartman/kubuntu/security.diff
> >
> > > * Review the patch to make sure it fixes all problems.
> >
> > Yes its tested.
>
> Why are the scripts using "system" at certain places and "exec" at others?

We use system when script may need to do more processing and use exec where it 
doesn't to execute rest of the script like an error occurred and script 
should just exit.

> > I did the release its on
> > http://developer.berlios.de/projects/konversation
>
> http://extragear.kde.org/apps/konversation/ points to
> http://sourceforge.net/project/showfiles.php?group_id=53539
>
> You may want to add it there as well then.

**** Access denied: Insufficient Karma (cartman|
www/areas/extragear/apps/konversation)
cvs commit: Pre-commit check failed


> > Attached for review.
> >
> > 2. Overview:
> >
> >     The Server::parseWildcards function is buggy: to expand % variables,
> >     it does a series of QString.replace's, so the value for one variable
> > can contain another variable, which will then be expanded too.
>
> I think that's a bit too much detail. I would go with something like:
>
> 	A flaw in the expansion of %-escaped variables makes that %-escaped
> 	variables in certain input strings will be inadvertently expanded too.
>
> >       Perl scripts included with Konversation execute a command line
> >       similar to: exec ("dcop $PORT Konversation say $SERVER \"$TARGET\"
>
> output");
>
> >         shell characters in $SERVER or $TARGET aren't escaped.
>
> Here too I would cut down on the technical stuff:
> 	Several perl scripts included with Konversation fail to properly handle
> 	command line arguments causing a command line injection vulnerability.

Done

> Wouter writes on http://wouter.coekaerts.be/konversation.html : "A song
> with a strange name may also cause command execution with the media
> script.", how would that work? Would the user need to select that song
> himself on the command line or via the file dialog, or could someone else
> send it to him?
>
He needs to select the song _himself_ in amarok,juk,noatun _and_ 
run /amarok,/juk, or /noatun .

> >      Nick and password are confused in the quick connection dialog,
> >      so connecting with that dialog and filling in a password, would use
> >      that password as nick
>
> I would add:
> 	and may inadvertently expose the password to others.
>
> And at the top something like:
> 	Multiple vulnerabilities have been discovered in Konversation, an IRC
> client for KDE.

Done

>
> > 3. Impact:
> >
> >        User might be tricked to join a channel which contains shell
> >        character in its name.
>
> I suggest:
> 	A user might be tricked to join a channel with a specially crafted
> 	channel name containing shell commands.
>
> >        If user runs
> >        a script in that channel it will result in an arbitrary command
> >        execution.
>

Done

> Is it clear to users when they run a script? (e.g. do you need to enter
> something like /script ?) If some commands are handled internally and some
> by scripts the user will most likely not be aware of the difference, in
> that case I would say:

Well scripts are auto aliased but their names are different from normal 
commands like /juk,/amarok,/weather etc.


> 	If the user invokes certain actions in such channel this may result in
>         the execution of the shell commands contained in the channel name.
>
> >    If quick connect used with a password user nick contains the password
> > and the password used is nickname resulting in password exposure.
>
> 	If quick connect is used with a password, the password is used as nickname
>         instead. As a result the password may be exposed to others.
>
> > 5. Patch:
> >
> >        A patch for Konversation 0.15 is available from
> >http://janeway.no-ip.org/~cartman/kubuntu/security.diff
> >
> >        36f8b6beac18a9d173339388d13e2335  security.diff
>
> I would put it on ftp://ftp.kde.org/pub/kde/security_patches and name it
> something like post-0.15-konversation.diff to be in line with the other
> patches there.

Possibly I can't upload to there.

>
> Do you know a timeline? I guess something like:
>
> 6. Time line and credits:
>
>         18/01/2005 Konversation developers informed by Wouter Coekaerts
>         19/01/2005 Patches applied to KDE CVS.
>         19/01/2005 Konversation 0.15.1 released.
>         20/01/2005 KDE Security Advisory released.

Yeah timeline is correct.

New advisory attached.

Cheers,
ismail


-------------- next part --------------
KDE Security Advisory:  Multiple vulnerabilities have been discovered in Konversation, an IRC client  for KDE.
Original Release Date: 20050120
URL: http://www.kde.org/info/security/advisory-YYYYMMDD-X.txt

0. References
	http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html

1. Systems affected:

        All Konversation versions up to and including 0.15

2. Overview:

	A flaw in the expansion of %-escaped variables makes that %-escaped
        variables in certain input strings will be inadvertently expanded too.
	
	Several perl scripts included with Konversation fail to properly handle
        command line arguments causing a command line injection vulnerability.

	Nick and password are confused in the quick connection dialog, 
	so connecting with that dialog and filling in a password, would use that password as nick,
	and may inadvertently expose the password to others.
      
3. Impact:

	 A user might be tricked to join a channel with a specially crafted
        channel name containing shell commands. If user runs a script in that
	 channel it will result in an arbitrary command execution.

	 If quick connect is used with a password, the password is used as nickname
        instead. As a result the password may be exposed to others.

4. Solution:

	Upgrade to Konversation 0.15.1 (http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2)

5. Patch:

        A patch for Konversation 0.15 is available from http://janeway.no-ip.org/~cartman/kubuntu/security.diff

       	36f8b6beac18a9d173339388d13e2335  security.diff

6. Time line and credits:

        18/01/2005 Konversation developers informed by Wouter Coekaerts
        19/01/2005 Patches applied to KDE CVS.
        19/01/2005 Konversation 0.15.1 released.
        20/01/2005 KDE Security Advisory released.

More information about the Konversation-devel mailing list