iDEFENSE Security Advisory 11.11.02: Buffer Overflow in KDE resLISa From: "iDEFENSE Labs" <listserv@idefense.com> To: aliz@gentoo.org Date: Mon, 11 Nov 2002 11:48:18 -0500 iDEFENSE Security Advisory 11.11.02: http://www.idefense.com/advisory/11.11.02.txt Buffer Overflow in KDE resLISa November 11, 2002 I. BACKGROUND KDE is a popular open source graphical desktop environment for Unix workstations. Its kdenetwork module contains a LAN browsing implementation known as LISa, which is used to identify CIFS and other servers on the local network. LISa consists of two main modules: "lisa", a network daemon, and "resLISa", a restricted version of the lisa daemon created by Alexander Neundorf. LISa's lisa module can be accessed in KDE using the URL type "lan://"; the resLISa module can be accessed using the URL type "rlan://". II. DESCRIPTION Local exploitation of a buffer overflow within the resLISa module could allow an attacker to gain elevated privileges. The overflow exists in the parsing of the LOGNAME environment variable; an overly long value will overwrite the instruction pointer, thereby allowing an attacker to seize control of the executable. The following is a snapshot of the exploit in action: farmer@debian30:~$ ./reslisa_bof farmer@debian30:~$ NetManager::prepare: listen failed sh-2.05a$ id uid=1000(farmer) gid=1000(farmer) groups=1000(farmer) While the attacker's privileges have not been escalated, the following shows the creation of a raw socket that is accessible by the attacker: farmer@debian30:~$ lsof | grep raw sh 1413 farmer 3u raw 1432 00000000:0001->00000000:0000 st=07 farmer@debian30:~$ cd /proc/1413/fd/ farmer@debian30:/proc/1413/fd$ ls -l total 0 lrwx------ 1 farmer farmer 64 Oct 11 02:47 0 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 1 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 2 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 255 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 3 -> socket:[1432] l-wx------ 1 farmer farmer 64 Oct 11 02:47 4 -> /dev/null lrwx------ 1 farmer farmer 64 Oct 11 02:47 5 -> socket:[1433] III. ANALYSIS Local attackers can use access to a raw socket to sniff network traffic and generate malicious traffic (such as network scans, ARP redirects, DNS poisoning). This can lead to further compromise of the target system as well as other neighboring systems, depending on network trust relationships. IV. DETECTION This vulnerability exists in all versions of resLISa included within kdenetwork packages found in versions of KDE before 3.0.5. To determine if a specific implementation is vulnerable issue the following commands: $ LOGNAME=`perl -e 'print "A"x5000'` $ `which reslisa` -c . If the application exits, printing "signal caught: 11, exiting", then it is vulnerable. The above example was performed on resLISa version 0.1.1 which is packaged and distributed with Debian 3.0r0. V. VENDOR FIX KDE 3.0.5 fixes this vulnerability, as well as a remotely exploitable buffer overflow found in LISa by Olaf Kirch of SuSE Linux AG. More information about the fix is available at http://www.kde.org/info/security. Individual Unix vendors should be providing updated KDE distributions on their appropriate download sites. Lisa 0.2.2, which also fixes these issues and compiles independent of KDE, can be downloaded at http://lisa-home.sourceforge.net/download.html. VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1247 to this issue. VII. DISCLOSURE TIMELINE 10/02/2002 Issue disclosed to iDEFENSE 10/31/2002 Maintainer, Alexander Neundorf (neundorf@kde.org), and Linux Security list (vendor-sec@lst.de) notified 10/31/2002 Response received from Alexander Neundorf 11/01/2002 iDEFENSE clients notified 11/11/2002 Coordinated public disclosure VIII. CREDIT Texonet (http://www.texonet.com) discovered this vulnerability. To stop receiving iDEFENSE Security Advisories, reply to this message and put "unsubscribe" in the subject
KDE Security Advisory: resLISa / LISa Vulnerabilities From: Andreas Pour <pour@kde.org> (KDE) To: bugtraq@securityfocus.com Date: Tue, 12 Nov 2002 06:28:04 -0600 KDE Security Advisory: resLISa / LISa Vulnerabilities Original Release Date: 2002-11-11 URL: http://www.kde.org/info/security/advisory-20021111-2.txt 0. References iDEFENSE Security Advisory 11.11.02 (http://www.idefense.com/advisory/11.11.02.txt). 1. Systems affected: All KDE 2 releases from KDE 2.1 and all KDE 3 releases (up to 3.0.4 and 3.1rc3). 2. Overview: The kdenetwork module of KDE contains a LAN browsing implementation known as LISa, which is used to identify CIFS and other servers on the local network. LISa consists of two main modules, "lisa", a network daemon, and "reslisa", a restricted version of the lisa daemon. LISa can be accessed in KDE using the URL type "lan://", and resLISa using the URL type "rlan://". LISA will obtain information on the local network by looking for an existing LISA server on other local hosts, and if there is one, retrieves the list of servers from it. If there is no other LISA server, it will scan the network and create as server list. The browser daemon 'lisa' is typically configured to start as a system service at system boot time. resLISa is a restricted version of LISa which uses a configuration file to identify hosts on the network rather than scanning for them. resLISa is typically installed SUID root and started by a user to browse the confitured network servers. However, it does not directly communicate with servers on the network. 3. Impact: The resLISa daemon contains a buffer overflow vulnerability which potentially enables any local user to obtain access to a raw socket if 'reslisa' is installed SUID root. This vulnerability was discovered by the iDEFENSE security team and Texonet. The lisa daemon contains a buffer overflow vulnerability which potentially enables any local user, as well any any remote attacker on the LAN who is able to gain control of the LISa port (7741 by default), to obtain root privileges. In addition, a remote attacker potentially may be able to gain access to a victim's account by using an "lan://" URL in an HTML page or via another KDE application. These vulnerabilities were discovered by Olaf Kirch at SuSE Linux AG. 4. Solution: The vulnerabilities have been fixed in KDE 3.0.5 and patches are available for those using KDE 3.0.4. We recommend either upgrading to KDE 3.0.5, applying the patches or disabling the resLISa and LISa services. The resLISa vulnerability can be disabled by unsetting the SUID bit on resLISa. Typically this is accomplished by executing the command: chmod a-s `which reslisa` Note that this will prevent users from using the resLISa service. The first LISa vulnerability can be disabled by disabling the LISa service. Typically this is accomplished by executing the commands: /etc/init.d/lisa stop rm /etc/init.d/lisa `which lisa` or rpm -e kdenetwork-lisa However, the appropriate commands depend on your vendor's OS and how the various components of kdenetwork were packaged. The second LISa vulnerability can be disabled by deleting any lan.protocol and rlan.protocol files on the system and restarting the active KDE sessions. The files are usually installed in [kdeprefix]/share/services/lan.protocol and [kdeprefix]/share/services/rlan.protocol ([kdeprefix] is typically /opt/kde3 or /usr), but copies may exist elsewhere, such as in users' [kdehome]/share/services directory ([kdehome] is typically the .kde directory in a user's home directory). kdenetwork-3.0.5 can be downloaded from http://download.kde.org/stable/3.0.5/src/ : 504032bceeef0dfa9ff02aed0faf795d kdenetwork-3.0.5.tar.bz2 Some vendors are building binary packages of kdenetwork-3.0.5. Please check your vendors website and the KDE 3.0.5 information page (http://ww.kde.org/info/3.0.5.html) periodically for availability. 5. Patch: Patches are available for KDE 3.0.4 from the KDE FTP server (ftp://ftp.kde.org/pub/kde/security_patches/): 5b2334c689ae9412475f6b653a107401 post-3.0.4-kdenetwork-lanbrowsing.diff
KDE Security Advisory: rlogin.protocol and telnet.protocol URL KIO Vulnerability From: Andreas Pour <pour@mieterra.com> (MieTerra LLC) To: bugtraq@securityfocus.com Date: Tue, 12 Nov 2002 06:26:48 -0600 KDE Security Advisory: rlogin.protocol and telnet.protocol URL KIO Vulnerability Original Release Date: 2002-11-11 URL: http://www.kde.org/info/security/advisory-20021111-1.txt 0. References None. 1. Systems affected: All KDE 2 releases starting with KDE 2.1 and all KDE 3 releases (up to 3.0.4). 2. Overview: KDE provides support for various network protocols via the KIO subsystem. These protocols are implemented with text files containing the extension .protocol, normally stored in the shared/services/ subdirectory under the KDE installation root. The implementation of the rlogin protocol in all of the affected systems, and the implementation of the telnet protocol in affected KDE 2 systems, allows a carefully crafted URL in an HTML page, HTML email or other KIO-enabled application to execute arbitrary commands on the system using the victim's account on the vulnerable machine. 3. Impact: The vulnerability potentially enables local or remote attackers to compromise a victim's account and execute arbitrary commands on the local system with the victim's privileges, such as erasing files, accessing data or installing trojans. 4. Solution: The vulnerability has been fixed in KDE 3.0.5 and a patch is available for KDE 3.0.4. For affected KDE 3 systems, we recommend upgrading to KDE 3.0.5, applying the patch provided or disabling the rlogin protocol. For affected KDE 2 systems, we recommend disabling both the rlogin and telnet KIO protocols. The rlogin protocol vulnerability can be disabled by deleting any rlogin.protocol files on the system and restarting the active KDE sessions. The file is usually installed in [kdeprefix]/share/services/rlogin.protocol ([kdeprefix] is typically /opt/kde3 or /usr), but copies may exist elsewhere, such as in users' [kdehome]/share/services directory ([kdehome] is typically the .kde directory in a user's home directory). The telnet protocol vulnerability can be similary disabled in affected KDE 2 systems. kdelibs-3.0.5 can be downloaded from http://download.kde.org/stable/3.0.5/src/kdelibs-3.0.5.tar.bz2 : ff22bd58b91ac34e476c308d345421aa kdelibs-3.0.5.tar.bz2 Some vendors are building binary packages of kdelibs-3.0.5. Please check your vendors website and the KDE 3.0.5 information page (http://ww.kde.org/info/3.0.5.html) periodically for availability. 5. Patch: Patches are available for KDE 3.0.x from the KDE FTP server (ftp://ftp.kde.org/pub/kde/security_patches/): 5625501819f09510d542142aea7b85ab post-3.0.4-kdelibs-kio-misc.diff
*** Bug 10707 has been marked as a duplicate of this bug. ***
