-------------------------------------------------------------------------
|      Password Disclosure for SMB Shares in KDE's Konqueror            |
-------------------------------------------------------------------------

Date: Nov. 29, 2004
Author: Daniel Fabian
Product: KDE, Konquerer
Vendor: KDE e. V. (http://www.kde.org)
Vendor-Status: vendor contacted
Vendor-Patches: none available so far
Attack Vector: Local

~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~
The KDE program Konquerer allows for browsing SMB shares comfortably
through the GUI. By placing a shortcut to an SMB share on KDE's
desktop, an attacker can disclose his victim's password in
plaintext.


~~~~~~~~
Affected Versions
~~~~~~~~~~~~~~~~~~~~~~~~
The problem has been successfully reproduced with KDE 3.2.1 on a
standard SuSE 9.1 distribution. I have not been able to reproduce
the issue on a KDE 3.3.0, however the developers of KDE claimed
that there might be a related issue in both KDE 3.3 as well as the
upcoming KDE 3.4.


~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~
The vendor has been notified and was very cooperative. We set a
coordinated disclosure date to Nov. 10th. However Nov. 10th passed,
without a patch available. My mail for a new date has gone
unanswered for more than two weeks now, so I suppose it is ok to
release this advisory, very much so since this is not an issue that
can be widely exploited anyway.


~~~~~~~~
Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~
Opening the URL "smb:/" in Konquerer allows KDE users to browse the
local network for SMB shares. Upon selecting a computer, the user
has to enter a password, if access to that computer is resticted.
While the URL of the SMB share correctly does not show the password
in Konqueror's address bar, this can be easily bypassed by copying
a shortcut to a certain share to the desktop.

The created desktop icon will be given a name (and address) following
this scheme:

smb://domain\username:password@server\sharename

The password can be read in plaintext by an attacker. So while a
colleague is getting some coffee or having a short nap at
his desk, it is most easy to get the password of his open
SMB shares.


~~~~~~~~
Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
Oct. 06: Discovery of the vulnerability
Oct. 10: Initial vendor reply
Nov. 10: Planed coordinated disclosure
Nov. 29: Final disclosure


~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~
Until a patch is available, just lock your computer every time
you leave it (should be done regardless of this issue).


EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com

~~~~~~~~
Contact
~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Buero Wien
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com