SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   KDE Vendors:   KDE.org
KDE Temporary File Bugs Let Local Users Gain Elevated Privileges and Frame Injection Flaw Lets Remote Users Spoof Web Sites
SecurityTracker Alert ID:  1010932
SecurityTracker URL:  http://securitytracker.com/id/1010932
CVE Reference:   CVE-2004-0689, CVE-2004-0690, CVE-2004-0721   (Links to External Site)
Date:  Aug 12 2004
Impact:   Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.2.3 and prior versions
Description:   Several vulnerabilities were reported in KDE. A local user may be able to obtain elevated privileges or deny service. A remote user may be able to spoof web sites.

It is reported that a local user can cause KDE to create or overwrite arbitrary files by creating a symbolic link (symlink) from a file on the system to a temporary file to be used by KDE [CVE: CVE-2004-0689]. Then, when the target user runs KDE applications outside of the KDE environment, the symlinked file may be created or truncated. The symlinks are created in '~/.kde'.

A local user can exploit this to prevent KDE applications from operating properly or to obtain elevated privileges.

This vulnerability was reported by Andrew Tuitt on June 23, 2004 and affects version 3.2.3 and prior versions.

It is reported that KDE's DCOPServer creates temporary files in an unsafe manner [CVE: CVE-2004-0690], including temporary files used for authentication. A local user can gain access to a target user's account.

This vulnerability was reported by Colin Phipps on July 25, 2004 and affects KDE 3.2 through 3.2.3.

It is also reported that a remote user can create HTML that, when loaded, will open a frame in an arbitrary frame-based web page that is currently open on the target user's system [CVE: CVE-2004-0721]. A remote user can exploit this flaw to spoof a web site.

KDE version KDE 3.2.3 and prior versions are affected.

Secunia reported this vulnerability on July 1, 2004.

The original advisories are available at:

http://www.kde.org/info/security/advisory-20040811-1.txt
http://www.kde.org/info/security/advisory-20040811-2.txt
http://www.kde.org/info/security/advisory-20040811-3.txt

Impact:   A local user can deny service to KDE applications.

A local user may be able to gain elevated privileges.

A remote user may be able to spoof arbitrary web sites.

Solution:   KDE has issues several patches for the three reported vulnerabilities.

For CVE CVE-2004-0689:

Patches for KDE 3.0.5b are available from
ftp://ftp.kde.org/pub/kde/security_patches :

da950a651e69cd810019efce284120fc post-3.0.5b-kdelibs-kstandarddirs.patch

Patches for KDE 3.1.5 are available from
ftp://ftp.kde.org/pub/kde/security_patches :

c97ab0cf014adb59e315047210316f5d post-3.1.5-kdelibs-kstandarddirs.patch

Patches for KDE 3.2.3 are available from
ftp://ftp.kde.org/pub/kde/security_patches :

345ce2e01cfdfa4754c47894c0271dcc post-3.2.3-kdelibs-kstandarddirs.patch

For CVE CVE-2004-0690:

Patches for KDE 3.2.3 are available from
ftp://ftp.kde.org/pub/kde/security_patches :

0046c691fa833b2ff8d7eac15312a68b post-3.2.3-kdelibs-dcopserver.patch

For CVE CVE-2004-0721:

Patches for KDE 3.0.5b are available from
ftp://ftp.kde.org/pub/kde/security_patches :

aa3ac08a45851a1c33b2fcd435e1d514 post-3.0.5b-kdelibs-htmlframes.patch
dc4dfff2df75d19e527368f56dc92abb post-3.0.5b-kdebase-htmlframes.patch

Patches for KDE 3.1.5 are available from
ftp://ftp.kde.org/pub/kde/security_patches :

e6cebe1f93f7497d720018362077dcf7 post-3.1.5-kdelibs-htmlframes.patch
caa562da0735deacba3ae9170f2bf18f post-3.1.5-kdebase-htmlframes.patch

Patches for KDE 3.2.3 are available from
ftp://ftp.kde.org/pub/kde/security_patches :

8384f2785295be7082d9984ba8e175eb post-3.2.3-kdelibs-htmlframes.patch
a60fd1628607d4abdeb930662d126171 post-3.2.3-kdebase-htmlframes.patch

Vendor URL:  www.kde.org/info/security/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 13 2004 (Gentoo Issues Fix) KDE Temporary File Bugs Let Local Users Gain Elevated Privileges and Frame Injection Flaw Lets Remote Users Spoof Web Sites
Gentoo has released a fix.
Aug 17 2004 (Debian Issues Fix) KDE Temporary File Bugs Let Local Users Gain Elevated Privileges and Frame Injection Flaw Lets Remote Users Spoof Web Sites
Debian has released a fix.
Aug 22 2004 (Mandrake Issues Fix) KDE Temporary File Bugs Let Local Users Gain Elevated Privileges and Frame Injection Flaw Lets Remote Users Spoof Web Sites
Mandrake has released a fix.
Sep 15 2004 (Conectiva Issues Fix) KDE Temporary File Bugs Let Local Users Gain Elevated Privileges and Frame Injection Flaw Lets Remote Users Spoof Web Sites
Conectiva has released a fix.
Oct 4 2004 (Red Hat Issues Fix for RHEL) KDE Temporary File Bugs Let Local Users Gain Elevated Privileges and Frame Injection Flaw Lets Remote Users Spoof Web Sites
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Dec 29 2004 (Conectiva Issues Fix) KDE Temporary File Bugs Let Local Users Gain Elevated Privileges and Frame Injection Flaw Lets Remote Users Spoof Web Sites
Conectiva has released a fix.



 Source Message Contents

Subject:  KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities


Three security advisories have been issued today for KDE. The first advisory 
concerns the unsafe handling of KDE's temporary directory in certain 
circumstances. The second advisory relates to the unsafe creation of 
temporary files by KDE 3.2.x's dcopserver . The third advisory is about a 
frame injection vulnerability in Konqueror as earlier reported by Heise
Online and Secunia

Distributions are expected to have updated binary packages available shortly. 
All issues mentioned above have also been fixed in the KDE 3.3 Release 
Candidate 2 that was announced yesterday . The final release of KDE 3.3 is 
expected later this month.

Cheers,
Waldo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

KDE Security Advisory: Temporary Directory Vulnerability
Original Release Date: 2004-08-11
URL: http://www.kde.org/info/security/advisory-20040811-1.txt

0. References

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0689


1. Systems affected:

        All versions of KDE up to KDE 3.2.3 inclusive. 


2. Overview:

        The SUSE security team was alerted that in some cases the
        integrity of symlinks used by KDE are not ensured and that
        these symlinks can be pointing to stale locations. This can
        be abused by a local attacker to create or truncate arbitrary
        files or to prevent KDE applications from functioning
        correctly (Denial of Service).

        KDE creates in ~/.kde symlinks to a temporary directory, a socket
        directory and a cache directory. When a user logs into the KDE
        environment the startkde script ensures that these symlinks are
        present and point to directories that are owned by the user.
        However, when a user runs KDE applications outside the KDE
        environment or when a user runs a KDE applications as another user, 
        such as root, the integrity of these symlinks is not checked and it
        is possible that a previously created but now stale symlinks exist.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0689 to this issue.


3. Impact:

        When a stale symlink is present a local attacker could create the
        directory that the symlink is pointing to with his own credentials
        to prevent access to this directory by KDE applications. This can
        prevent KDE applications from functioning correctly.

        When a stale symlink is present a local attacker could create the
        directory that the symlink is pointing to with his own credentials.
        Since KDE applications will attempt to create files with certain
        known names in this directory, an attacker can abuse this to overwrite
        arbitrary files with the privileges of the user.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patches for KDE 3.0.5b are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  da950a651e69cd810019efce284120fc  post-3.0.5b-kdelibs-kstandarddirs.patch

        Patches for KDE 3.1.5 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  c97ab0cf014adb59e315047210316f5d  post-3.1.5-kdelibs-kstandarddirs.patch

        Patches for KDE 3.2.3 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  345ce2e01cfdfa4754c47894c0271dcc  post-3.2.3-kdelibs-kstandarddirs.patch


6. Time line and credits:


        23/06/2004 SUSE Security Team alerted by Andrew Tuitt
	26/06/2004 Patches created
	27/07/2004 Vendors notified
        11/08/2004 Public advisory

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBGioUN4pvrENfboIRAnALAJ9ynwVAnzRtkDghmItkkCTe8qu/eACfabZc
X/9KZihVfSQKjOHvmvBOzv0=
=VM4l
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

KDE Security Advisory: DCOPServer Temporary Filename Vulnerability
Original Release Date: 2004-08-11
URL: http://www.kde.org/info/security/advisory-20040811-2.txt

0. References

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0690
        http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386

1. Systems affected:

        KDE 3.2.x up to KDE 3.2.3 inclusive. 


2. Overview:

        The Debian project was alerted that KDE's DCOPServer creates
        temporary files in an insecure manner. Since the temporary
        files are used for authentication related purposes this can
        potentially allow a local attacker to compromise the account of
        any user which runs a KDE application.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0690 to this issue.


3. Impact:

        KDE's DCOPServer creates temporary files in an insecure manner.
        Since the temporary files are used for authentication related
        purposes this can potentially allow a local attacker to compromise
        the account of any user which runs a KDE application.
        

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patches for KDE 3.2.3 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  0046c691fa833b2ff8d7eac15312a68b  post-3.2.3-kdelibs-dcopserver.patch


6. Time line and credits:


        25/07/2004 Debian Project alerted by Colin Phipps
	26/07/2004 KDE Security team informed by Chris Cheney
	26/07/2004 Patch created
	27/07/2004 Vendors notified
        11/08/2004 Public advisory

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBGiosN4pvrENfboIRApSoAJ0S7zbgId9etA3EDrOv5dnFpSUU4wCfd2JK
kHcL+tcXbrH971YcuoEleTQ=
=VHci
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

KDE Security Advisory: Konqueror Frame Injection Vulnerability
Original Release Date: 2004-08-11
URL: http://www.kde.org/info/security/advisory-20040811-3.txt

0. References

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0721
        http://secunia.com/advisories/11978/
        http://www.heise.de/newsticker/meldung/48793
        http://bugs.kde.org/show_bug.cgi?id=84352

1. Systems affected:

        All versions of KDE up to KDE 3.2.3 inclusive. 


2. Overview:

        The Konqueror webbrowser allows websites to load webpages into
        a frame of any other frame-based webpage that the user may have open.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0721 to this issue.


3. Impact:

        A malicious website could abuse Konqueror to insert its own frames
        into the page of an otherwise trusted website. As a result the user
        may unknowingly send confidential information intended for the
        trusted website to the malicious website.
                

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patches for KDE 3.0.5b are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  aa3ac08a45851a1c33b2fcd435e1d514  post-3.0.5b-kdelibs-htmlframes.patch
  dc4dfff2df75d19e527368f56dc92abb  post-3.0.5b-kdebase-htmlframes.patch

        Patches for KDE 3.1.5 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  e6cebe1f93f7497d720018362077dcf7  post-3.1.5-kdelibs-htmlframes.patch
  caa562da0735deacba3ae9170f2bf18f  post-3.1.5-kdebase-htmlframes.patch

        Patches for KDE 3.2.3 are available from
        ftp://ftp.kde.org/pub/kde/security_patches : 

  8384f2785295be7082d9984ba8e175eb  post-3.2.3-kdelibs-htmlframes.patch
  a60fd1628607d4abdeb930662d126171  post-3.2.3-kdebase-htmlframes.patch


6. Time line and credits:


        01/07/2004 Secunia publishes security advisory
	04/08/2004 Patches created
	05/08/2004 Vendors notified
        11/08/2004 Public advisory

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBGioxN4pvrENfboIRAi+mAJ0WMjHog9VRHoDpPodNCwV0RhR0UQCeMNE/
hjSS3bG2/H6ZeaD2VSm9hoI=
=YE7B
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC