KDE Konversation Bugs May Allow a Remote User to Cause Command Execution on a Target User's System
|
|
SecurityTracker Alert ID: 1012972
|
|
SecurityTracker URL: http://securitytracker.com/id?1012972
|
|
CVE Reference: CAN-2005-0129
, CAN-2005-0130
, CAN-2005-0131
(Links to External Site)
|
Date: Jan 24 2005
|
Impact: Disclosure of authentication information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 0.15 and prior versions
|
Description: Several vulnerabilities were reported in the KDE Konversation software. A remote user may be able to cause a target user to execute arbitrary commands. A target user may disclose their password to other users.
Wouter Coekaerts reported that the software does not properly expand %-escaped variables in certain input strings due to a flaw in
the 'Server::parseWildcards' function [CVE: CAN-2005-0129]. A remote user may be able to cause a target user to execute shell commands.
Some
Konversation perl scripts do not properly validate command line inputs, such as the $SERVER or $TARGET parameters [CVE: CAN-2005-0130].
A remote user may be able to get a target user to join a specially named channel. Then, if the target user runs a script in that
channel, arbitrary shell commands may be executed on the target user's system.
The nick and password parameters are confused
in the quick connection dialog, so a target user connecting with that dialog may expose their password [CVE: CAN-2005-0131].
The
vendor was notified on January 18, 2005.
|
Impact: A remote user may be able to cause a target user to execute arbitrary commands when the target user takes certain actions.
A target user may disclose their password to remote users.
|
Solution: The vendor has issued a fixed version (0.15.1), available at:
http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2
A
patch for Konversation 0.15 is also available at:
ftp://ftp.kde.org/pub/kde/security_patches
36f8b6beac18a9d173339388d13e2335
post-0.15-konversation.diff
|
Vendor URL: www.kde.org/info/security/advisory-20050121-1.txt (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Waldo Bastian <bastian@kde.org>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 21 Jan 2005 16:31:20 +0100
From: Waldo Bastian <bastian@kde.org>
Subject: KDE Security Advisory: Multiple vulnerabilities in Konversation
|
--nextPart4795341.0jiZI0B2Gx
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
KDE Security Advisory: Multiple vulnerabilities in Konversation
Original Release Date: 20050121
URL: http://www.kde.org/info/security/advisory-20050121-1.txt
0. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0131
http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html
1. Systems affected:
All Konversation versions up to and including 0.15
2. Overview:
Multiple vulnerabilities have been discovered in Konversation,
an IRC client for KDE.
A flaw in the expansion of %-escaped variables makes that %-escaped
variables in certain input strings will be inadvertently expanded
too. The Common Vulnerabilities and Exposures project (cve.mitre.or=
g)
has assigned the name CAN-2005-0129 to this issue.
Several perl scripts included with Konversation fail to properly
handle command line arguments causing a command line injection
vulnerability. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0130 to this issue.
=20
Nick and password are confused in the quick connection dialog,=20
so connecting with that dialog and filling in a password, would
use that password as nick, and may inadvertently expose the
password to others. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0131 to this issue.
=20
3. Impact:
A user might be tricked to join a channel with a specially crafted
channel name containing shell commands. If user runs a script in
that channel it will result in an arbitrary command execution.
If quick connect is used with a password, the password is used as
nickname instead. As a result the password may be exposed to others.
4. Solution:
Upgrade to Konversation 0.15.1 available from
http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2
5. Patch:
A patch for Konversation 0.15 is available from
ftp://ftp.kde.org/pub/kde/security_patches
36f8b6beac18a9d173339388d13e2335 post-0.15-konversation.diff
6. Time line and credits:
18/01/2005 Konversation developers informed by Wouter Coekaerts
19/01/2005 Patches applied to KDE CVS.
19/01/2005 Konversation 0.15.1 released.
21/01/2005 KDE Security Advisory released.
--nextPart4795341.0jiZI0B2Gx
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQBB8SBMN4pvrENfboIRAg7PAJ4u/TQhS8MGtnDFak2BbL82qKesigCggmtO
U61Vuf+NdDUtTPb60gGxxzU=
=Z68x
-----END PGP SIGNATURE-----
--nextPart4795341.0jiZI0B2Gx--
|
|
