SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Instant Messaging/IRC/Chat)  >   KDE Konversation Vendors:   KDE.org
KDE Konversation Bugs May Allow a Remote User to Cause Command Execution on a Target User's System
SecurityTracker Alert ID:  1012972
SecurityTracker URL:  http://securitytracker.com/id/1012972
CVE Reference:   CVE-2005-0129, CVE-2005-0130, CVE-2005-0131   (Links to External Site)
Date:  Jan 24 2005
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.15 and prior versions
Description:   Several vulnerabilities were reported in the KDE Konversation software. A remote user may be able to cause a target user to execute arbitrary commands. A target user may disclose their password to other users.

Wouter Coekaerts reported that the software does not properly expand %-escaped variables in certain input strings due to a flaw in the 'Server::parseWildcards' function [CVE: CVE-2005-0129]. A remote user may be able to cause a target user to execute shell commands.

Some Konversation perl scripts do not properly validate command line inputs, such as the $SERVER or $TARGET parameters [CVE: CVE-2005-0130]. A remote user may be able to get a target user to join a specially named channel. Then, if the target user runs a script in that channel, arbitrary shell commands may be executed on the target user's system.

The nick and password parameters are confused in the quick connection dialog, so a target user connecting with that dialog may expose their password [CVE: CVE-2005-0131].

The vendor was notified on January 18, 2005.

Impact:   A remote user may be able to cause a target user to execute arbitrary commands when the target user takes certain actions.

A target user may disclose their password to remote users.

Solution:   The vendor has issued a fixed version (0.15.1), available at:

http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2

A patch for Konversation 0.15 is also available at:

ftp://ftp.kde.org/pub/kde/security_patches

36f8b6beac18a9d173339388d13e2335 post-0.15-konversation.diff

Vendor URL:  www.kde.org/info/security/advisory-20050121-1.txt (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 25 2005 (Gentoo Issues Fix) KDE Konversation Bugs May Allow a Remote User to Cause Command Execution on a Target User's System
Gentoo has released a fix.



 Source Message Contents

Subject:  KDE Security Advisory: Multiple vulnerabilities in Konversation


--nextPart4795341.0jiZI0B2Gx
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

KDE Security Advisory:  Multiple vulnerabilities in Konversation
Original Release Date: 20050121
URL: http://www.kde.org/info/security/advisory-20050121-1.txt

0. References
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0129
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0130
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0131
  http://lists.netsys.com/pipermail/full-disclosure/2005-January/031033.html

1. Systems affected:

        All Konversation versions up to and including 0.15

2. Overview:

        Multiple vulnerabilities have been discovered in Konversation,
        an IRC client  for KDE.

        A flaw in the expansion of %-escaped variables makes that %-escaped
        variables in certain input strings will be inadvertently expanded
        too. The Common Vulnerabilities and Exposures project (cve.mitre.or=
g)
        has assigned the name CAN-2005-0129 to this issue.

        Several perl scripts included with Konversation fail to properly
        handle command line arguments causing a command line injection
        vulnerability. The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the name CAN-2005-0130 to this issue.
     =20
        Nick and password are confused in the quick connection dialog,=20
        so connecting with that dialog and filling in a password, would
        use that password as nick, and may inadvertently expose the
        password to others. The Common Vulnerabilities and Exposures project
        (cve.mitre.org) has assigned the name CAN-2005-0131 to this issue.
     =20
3. Impact:

        A user might be tricked to join a channel with a specially crafted
        channel name containing shell commands. If user runs a script in
        that channel it will result in an arbitrary command execution.

        If quick connect is used with a password, the password is used as
        nickname instead. As a result the password may be exposed to others.

4. Solution:

        Upgrade to Konversation 0.15.1 available from
        http://download.berlios.de/konversation/konversation-0.15.1.tar.bz2

5. Patch:

        A patch for Konversation 0.15 is available from
        ftp://ftp.kde.org/pub/kde/security_patches

        36f8b6beac18a9d173339388d13e2335  post-0.15-konversation.diff

6. Time line and credits:

        18/01/2005 Konversation developers informed by Wouter Coekaerts
        19/01/2005 Patches applied to KDE CVS.
        19/01/2005 Konversation 0.15.1 released.
        21/01/2005 KDE Security Advisory released.


--nextPart4795341.0jiZI0B2Gx
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQBB8SBMN4pvrENfboIRAg7PAJ4u/TQhS8MGtnDFak2BbL82qKesigCggmtO
U61Vuf+NdDUtTPb60gGxxzU=
=Z68x
-----END PGP SIGNATURE-----

--nextPart4795341.0jiZI0B2Gx--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC