-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KDE Security Advisory: URI Handler Vulnerabilities Original Release Date: 2004-05-17 URL: http://www.kde.org/info/security/advisory-20040517-1.txt 0. References http://www.idefense.com/application/poi/display?id=104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0411 http://www.securityfocus.com/archive/1/363225 1. Systems affected: All versions of KDE up to KDE 3.2.2 inclusive. 2. Overview: iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that similar vulnerabilities exists in KDE. The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning of the hostname passed, which makes it possible to pass an option to the programs started by the handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0411 to this issue. 3. Impact: A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file anywhere where the victim has permission to do so. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI. A remote attacker could entice a user to open a carefully crafted mailto URI which may start the KMail program with its display redirected to a remote machine under control of the attacker. An attacker can then use this to gain full access to the victims personal files and account. An attacker could entice a user to open a carefully crafted mailto URI which may start the KMail program using a configuration file specified by the attacker. If the attacker is able to install arbitrary files somewhere on the machine, the attacker can include commands in the configuration file which will be executed with the privileges of the victim allowing the attacker to gain full access to the victims personal files and account. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches for KDE 3.0.5b are available from ftp://ftp.kde.org/pub/kde/security_patches : 5c573853ec3f426d33c559958baa2169 post-3.0.5b-kdelibs-kapplication.patch eaf9237b3af56b3b01df966b13fe2714 post-3.0.5b-kdelibs-ktelnetservice.patch Patches for KDE 3.1.5 are available from ftp://ftp.kde.org/pub/kde/security_patches : 7c2bda942c4183d4163eb3f47f22e0bc post-3.1.5-kdelibs-kapplication.patch bde52aa0bba055c4f678540ec20bfe5a post-3.1.5-kdelibs-ktelnetservice.patch Patches for KDE 3.2.2 are available from ftp://ftp.kde.org/pub/kde/security_patches : 7cebc1abb3141287db618486fd679b32 post-3.2.2-kdelibs-kapplication.patch 52e0e955204a77781505d33b9a3c341d post-3.2.2-kdelibs-ktelnetservice.patch 6. Time line and credits: 02/04/2003 Exploit acquired by iDEFENSE 12/05/2004 Public disclosure of Opera vulnerability 13/05/2004 KDE Team informed by Martin Ostertag 13/05/2004 Patches created 14/05/2004 Vendors notified 14/05/2004 Patches created for mailto problem. 17/05/2004 Public advisory -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAqJGON4pvrENfboIRAms1AJ4hAlt1Hq1Ar41XDmYnmOx4U9BnVQCcD5UY 4lO8evQJXo5R0Z9BGjkUXZQ= =rj5C -----END PGP SIGNATURE-----