-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20111003)
Date: 26th July 2011
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Various including KSSL, Rekonq, Arora, Psi IM
Vendor: n/a
Risk: Low

Summary

Various Qt applications including KSSL (the KDE class library responsible
for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI
spoofing due to their use of QLabel objects to render externally controlled
security critical information.  The primary area of concern at this time
relates to the named applications SSL certificate dialogue UI however other
similar dialogue boxes may also be vulnerable.

After discussions with Nokia, KDE and the Rekonq developers the following
CVEs have been assigned to this issue:

* KSSL - CVE-2011-3365
* Rekonq - CVE-2011-3366
* Arora - CVE-2011-3367

Note that no CVE has yet been assigned to Psi IM.  Nokia have also
updated the QLabel class section of the Qt documentation to provide
updated security information regarding this issue.

Technical Details

Various Qt applications are vulnerable to UI spoofing due to their use of
QLabel objects to render externally controlled security critical information.
It is possible to spoof the common name in certificate dialogue UI in a 
manner similar to the previous NULL byte attack.  This is due to the fact
that the box is constructed of many QLabel which all support the QStyleSheet
class and have rich text rendering enabled by default.  An SSL certificate
to exploit this issue can be generated as follows:

$ openssl genrsa -des3 -out PoC.key 1024

Having create the key a certificate can then be generated:

$ openssl req -new -x509 -key PoC.key -out PoC-cert.pem -days 1095
Enter pass phrase for PoC.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
- -----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nth Dimension
Organizational Unit Name (eg, section) []:Google Inc
Common Name (eg, YOUR name) []:www.google.com<table>.nth-dimension.org.uk
Email Address []:

In this case we simply self sign but it may be able to pursuade a
trusted CA based on the the .nth-dimension.org.uk suffix to the 
common name.

It is then possible to start a dummy server to test it:

$ openssl s_server -www -cert PoC-cert.pem -key PoC.key -accept 8080
Enter pass phrase for PoC.key:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

Browsing to this server on https://localhost:8080/ in Konqueror results
in details being displayed the certificate dialogue UI including the
common name www.google.com.

In addition to the affected products listed above there are doubtless
other places where this will be an applicable attack.  Essentially it's
a problem anywhere that you display a remotely set piece of text as part
of an authentication routine using QLabel or equivalent.

Solutions

Nth Dimension recommends that the vendor supplied patches should be
applied.  

Patches have been committed to the kdelibs Git repository in the
following commit IDs:

* 4.6 branch: 9ca2b26f 90607b28
* 4.7 branch: bd70d4e5 86622e4d
* frameworks: bd70d4e5 86622e4d

Note: the second commit for each branch above is a fix for the HTTP IO
slave that fixes a similar issue (reported at the same time), but with
only very minor security implications.

Patches have been committed to the Rekonq Git repository in the following
commit IDs:

* 85f454fa
* 526ce56f
* d1711fff

History

On 29th June 2011, Nth Dimension contacted the KDE security team to
report the described vulnerability.

On 30th June 2011, Jeff Mitchell of KDE confirmed that he had recieved
the report.

On 2nd July 2011, Nth Dimension contacted KDE to inform them that
Arora (a pure QtWebkit based browser) and subsequenly Rekonq (19th July
2011) were also affected.

In the latter case, Rich Moore and Nth Dimension then engaged with
Andrea from Rekonq to review their replacement certificate dialogue UI
which they had been independently developing to replace KSSL.

On 25th July 2011, Jeff Mitchell contacted oss-security on behalf of
the KDE security team to request a CVE for the various vulnerabilites
which was duely assigned.  Following the assigment of a CVE for this issue,
Nth Dimension and KDE liased to establish a date for final publication
of the advisory and patches.

At this point David Faure of KDE took ownership of the issue and
supplied patches which resolve the issues identified with KSSL and HTTP
IO slaves.  At this point it was confirmed that a coordinated disclosure
would occur on the 3rd October 2011.

Note that during this process Nth Dimension as well as the KDE security
team were also in correspondance with Peter Hartmann at Nokia regarding
Qt itself.  As a result Nokia updated their documentation for QLabel and
published the following blog entry as part of a developer outreach:

* http://labs.qt.nokia.com/2011/10/04/security-considerations-regarding-qlabel-and-friends/

Current

As of the 4th October 2011, the state of the vulnerabilities is
believed to be as follows.  Patches have been developed which
successfully mitigates the issues identified in KSSL and Rekonq.  KDE
packaging teams have been notified and vendor specific patches should
already be available.

In the case of Arora and Psi IM, their development teams have been
notified although no specific response is forthcoming at this time.

Thanks

Nth Dimension would like to thank Jeff, Rich, David and Andrea of KDE
and Peter Hartmann of Nokia for the way they worked to resolve the
issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJOjpuoAAoJEPJhpTVyySo7OoUQAK3HMuz5EkW0Vw3bH31v7B5P
+nZzdYCt7HVY/RIgPRrTGWtHv/EOPtzvtdzNLd4b8VcRb6UtuIA3VfvO64Duj68P
tbuieV7a/G19DN4Of3wv4VbjKynFJWsAYQflpME02brKbv2gDnRFhDHLx5ujpqoA
dwXTcXXTFFICNWOh+i1suYujZm+h/hRdcwjEEYXS+DLbyBQvQ8Jg4u+/z0PI7LUM
ArkAJB4UsGZJmkCeJZ8NSndwDxN+qWwWpAwNi+73p7tEIaC1YdX99Tk+RRTTmo+W
vaub7Qz3ocyb6Pn+pgkEmOwYmPwz2XSSCTwHveVdNdI518kD37r/t7UuMqlXctGC
YqM7KvrEm49xQE+q2AOpi1zrVgy9IhiABhG77QL0JYr6X/C10wuYrVg3ldJR+IrS
yEshJkPP0aAlnodKD3z++1Q0QsXzP3xzXJsE3xg0h81TfiVg6rFuYjd0nrMkUPPd
iPujyzhIOvQsf/KkJ/uDJUpgYVsR0B1vkhI5mqTyKQE3aSNs7/DSjeZDskCEQN4M
cDyH5kIOXlAoTZ9CVGSq0kPDEZC7WolWrGZAPORx6TfGOGAmZc9E1rxDTGXFKqyr
zjE3UnPvO/JwyOxRuuLNjxpx03khUV91JldnsiaoyL8IHcWr7SG6dVWynoEa82Xf
I/jDLIeaVHBo85BpyUZY
=UZz5
-----END PGP SIGNATURE-----