-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nth Dimension Security Advisory (NDSA20111003) Date: 26th July 2011 Author: Tim Brown URL: / Product: Various including KSSL, Rekonq, Arora, Psi IM Vendor: n/a Risk: Low Summary Various Qt applications including KSSL (the KDE class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. The primary area of concern at this time relates to the named applications SSL certificate dialogue UI however other similar dialogue boxes may also be vulnerable. After discussions with Nokia, KDE and the Rekonq developers the following CVEs have been assigned to this issue: * KSSL - CVE-2011-3365 * Rekonq - CVE-2011-3366 * Arora - CVE-2011-3367 Note that no CVE has yet been assigned to Psi IM. Nokia have also updated the QLabel class section of the Qt documentation to provide updated security information regarding this issue. Technical Details Various Qt applications are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. It is possible to spoof the common name in certificate dialogue UI in a manner similar to the previous NULL byte attack. This is due to the fact that the box is constructed of many QLabel which all support the QStyleSheet class and have rich text rendering enabled by default. An SSL certificate to exploit this issue can be generated as follows: $ openssl genrsa -des3 -out PoC.key 1024 Having create the key a certificate can then be generated: $ openssl req -new -x509 -key PoC.key -out PoC-cert.pem -days 1095 Enter pass phrase for PoC.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - ----- Country Name (2 letter code) [AU]:GB State or Province Name (full name) [Some-State]:England Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:Nth Dimension Organizational Unit Name (eg, section) []:Google Inc Common Name (eg, YOUR name) []:www.google.com.nth-dimension.org.uk Email Address []: In this case we simply self sign but it may be able to pursuade a trusted CA based on the the .nth-dimension.org.uk suffix to the common name. It is then possible to start a dummy server to test it: $ openssl s_server -www -cert PoC-cert.pem -key PoC.key -accept 8080 Enter pass phrase for PoC.key: Using default temp DH parameters Using default temp ECDH parameters ACCEPT Browsing to this server on https://localhost:8080/ in Konqueror results in details being displayed the certificate dialogue UI including the common name www.google.com. In addition to the affected products listed above there are doubtless other places where this will be an applicable attack. Essentially it's a problem anywhere that you display a remotely set piece of text as part of an authentication routine using QLabel or equivalent. Solutions Nth Dimension recommends that the vendor supplied patches should be applied. Patches have been committed to the kdelibs Git repository in the following commit IDs: * 4.6 branch: 9ca2b26f 90607b28 * 4.7 branch: bd70d4e5 86622e4d * frameworks: bd70d4e5 86622e4d Note: the second commit for each branch above is a fix for the HTTP IO slave that fixes a similar issue (reported at the same time), but with only very minor security implications. Patches have been committed to the Rekonq Git repository in the following commit IDs: * 85f454fa * 526ce56f * d1711fff History On 29th June 2011, Nth Dimension contacted the KDE security team to report the described vulnerability. On 30th June 2011, Jeff Mitchell of KDE confirmed that he had recieved the report. On 2nd July 2011, Nth Dimension contacted KDE to inform them that Arora (a pure QtWebkit based browser) and subsequenly Rekonq (19th July 2011) were also affected. In the latter case, Rich Moore and Nth Dimension then engaged with Andrea from Rekonq to review their replacement certificate dialogue UI which they had been independently developing to replace KSSL. On 25th July 2011, Jeff Mitchell contacted oss-security on behalf of the KDE security team to request a CVE for the various vulnerabilites which was duely assigned. Following the assigment of a CVE for this issue, Nth Dimension and KDE liased to establish a date for final publication of the advisory and patches. At this point David Faure of KDE took ownership of the issue and supplied patches which resolve the issues identified with KSSL and HTTP IO slaves. At this point it was confirmed that a coordinated disclosure would occur on the 3rd October 2011. Note that during this process Nth Dimension as well as the KDE security team were also in correspondance with Peter Hartmann at Nokia regarding Qt itself. As a result Nokia updated their documentation for QLabel and published the following blog entry as part of a developer outreach: * http://labs.qt.nokia.com/2011/10/04/security-considerations-regarding-qlabel-and-friends/ Current As of the 4th October 2011, the state of the vulnerabilities is believed to be as follows. Patches have been developed which successfully mitigates the issues identified in KSSL and Rekonq. KDE packaging teams have been notified and vendor specific patches should already be available. In the case of Arora and Psi IM, their development teams have been notified although no specific response is forthcoming at this time. Thanks Nth Dimension would like to thank Jeff, Rich, David and Andrea of KDE and Peter Hartmann of Nokia for the way they worked to resolve the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJOjpuoAAoJEPJhpTVyySo7OoUQAK3HMuz5EkW0Vw3bH31v7B5P +nZzdYCt7HVY/RIgPRrTGWtHv/EOPtzvtdzNLd4b8VcRb6UtuIA3VfvO64Duj68P tbuieV7a/G19DN4Of3wv4VbjKynFJWsAYQflpME02brKbv2gDnRFhDHLx5ujpqoA dwXTcXXTFFICNWOh+i1suYujZm+h/hRdcwjEEYXS+DLbyBQvQ8Jg4u+/z0PI7LUM ArkAJB4UsGZJmkCeJZ8NSndwDxN+qWwWpAwNi+73p7tEIaC1YdX99Tk+RRTTmo+W vaub7Qz3ocyb6Pn+pgkEmOwYmPwz2XSSCTwHveVdNdI518kD37r/t7UuMqlXctGC YqM7KvrEm49xQE+q2AOpi1zrVgy9IhiABhG77QL0JYr6X/C10wuYrVg3ldJR+IrS yEshJkPP0aAlnodKD3z++1Q0QsXzP3xzXJsE3xg0h81TfiVg6rFuYjd0nrMkUPPd iPujyzhIOvQsf/KkJ/uDJUpgYVsR0B1vkhI5mqTyKQE3aSNs7/DSjeZDskCEQN4M cDyH5kIOXlAoTZ9CVGSq0kPDEZC7WolWrGZAPORx6TfGOGAmZc9E1rxDTGXFKqyr zjE3UnPvO/JwyOxRuuLNjxpx03khUV91JldnsiaoyL8IHcWr7SG6dVWynoEa82Xf I/jDLIeaVHBo85BpyUZY =UZz5 -----END PGP SIGNATURE-----