exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

konversation.txt

konversation.txt
Posted Jan 25, 2005
Authored by Wouter Coekaerts

Konversation versions below 0.15.1 suffer from various flaws that allow for shell command injection amongst others.

tags | advisory, shell
SHA-256 | 1878ab58f77ea098da55b04d4e3cac28e5c15f51bc0bce5aed916d6b27a0de19

konversation.txt

Change Mirror Download
On 18 and 19 Jan 2005 I (Wouter Coekaerts) discovered 3 security
vulnerabilities in Konversation ("A user-friendly IRC-client for KDE",
http://konversation.berlios.de/).

Affected are version 0.15, CVS until 18-19/01/2005, and some older versions
too. They are fixed in 0.15.1.

Problem 1. Quick Buttons
========================
The Server::parseWildcards function is buggy: to expand % variables, it does
a series of QString.replace's, so the value for one variable can contain
another variable, which will then be expanded too. This function is used for
the "Quick Buttons" under the nicklist (which is disabled by default)

The only way I found to exploit this from another client, would be to let a
user join a channel with such vars in its name, and then let the user press
the Part Button. But since channel names cannot have spaces, only very
simple things can be done.
For example: in #%n/quit%n, he will disconnect.
An 'evil' server might be able to do this for other Quick Buttons too.

Problem 2. Included Perl scripts vulnerable to shell command injection
======================================================================
Perl scripts included with Konversation execute a command line similar to:
exec ("dcop $PORT Konversation say $SERVER \"$TARGET\" output");
shell characters in $SERVER or $TARGET aren't escaped.

Joining #`kwrite` and executing a script (for example typing /uptime) will
start kwrite. A song with a strange name may also cause command execution
with the media script.

Problem 3. Nick and password confused in quick connect dialog
=============================================================
I'll leave the question of wether or not this actually is a security bug
open, but at least I can imagine someone could see it as one.
Nick and password are confused in the quick connection dialog, so connecting
with that dialog and filling in a password, would use that password as nick.
If connecting works, you'll show everyone your password that was probably
a password for something else (since you could connecting with your nick as
password instead). If connecting fails because the server did require a
password, it may show an oper watching server notices your password and/or
put it in a logfile.

Solution
========
These problems are fixed in version 0.15.1, which was released 19/01/05
Individual patches can be downloaded at:
http://wouter.coekaerts.be/konversation.html :
http://wouter.coekaerts.be/files/konversation-parse.diff
http://wouter.coekaerts.be/files/konversation-quickconnect.diff
http://wouter.coekaerts.be/files/konversation-scripts.diff
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close