Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 72804 - kde-base/kdebase: Konqueror SMB share password disclosure
Summary: kde-base/kdebase: Konqueror SMB share password disclosure
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B4 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-29 04:45 UTC by Luke Macken (RETIRED)
Modified: 2004-12-19 08:46 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Draft Advisory (advisory-20041208-1.txt,2.38 KB, text/plain)
2004-12-08 04:44 UTC, Caleb Tennis (RETIRED)
no flags Details
3.3.1 kdebase smb fix (post-3.3.1-kdebase-smb.diff,1.35 KB, patch)
2004-12-08 05:10 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.3.1 kdelibs kthml fix (post-3.3.1-kdelibs-khtml.diff,3.72 KB, patch)
2004-12-08 05:10 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.3.1 kdelibs kio fix (post-3.3.1-kdelibs-kio.diff,1.33 KB, patch)
2004-12-08 05:10 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.3.2 kdelibs kio fix (post-3.3.2-kdelibs-kio.diff,1.60 KB, patch)
2004-12-08 05:11 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.2.3 kdebase smb fix (post-3.2.3-kdebase-smb.diff,1.28 KB, patch)
2004-12-08 05:12 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.2.3 kdelibs html fix (post-3.2.3-kdelibs-khtml.diff,3.13 KB, patch)
2004-12-08 05:13 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.2.3 kdelibs kio fix (post-3.2.3-kdelibs-kio.diff,1.47 KB, patch)
2004-12-08 05:13 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Luke Macken (RETIRED) gentoo-dev 2004-11-29 04:45:41 UTC
-------------------------------------------------------------------------
|      Password Disclosure for SMB Shares in KDE's Konqueror            |
-------------------------------------------------------------------------

Date: Nov. 29, 2004
Author: Daniel Fabian
Product: KDE, Konquerer
Vendor: KDE e. V. (http://www.kde.org)
Vendor-Status: vendor contacted
Vendor-Patches: none available so far
Attack Vector: Local

~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~
The KDE program Konquerer allows for browsing SMB shares comfortably
through the GUI. By placing a shortcut to an SMB share on KDE's
desktop, an attacker can disclose his victim's password in
plaintext.


~~~~~~~~
Affected Versions
~~~~~~~~~~~~~~~~~~~~~~~~
The problem has been successfully reproduced with KDE 3.2.1 on a
standard SuSE 9.1 distribution. I have not been able to reproduce
the issue on a KDE 3.3.0, however the developers of KDE claimed
that there might be a related issue in both KDE 3.3 as well as the
upcoming KDE 3.4.


~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~
The vendor has been notified and was very cooperative. We set a
coordinated disclosure date to Nov. 10th. However Nov. 10th passed,
without a patch available. My mail for a new date has gone
unanswered for more than two weeks now, so I suppose it is ok to
release this advisory, very much so since this is not an issue that
can be widely exploited anyway.


~~~~~~~~
Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~
Opening the URL "smb:/" in Konquerer allows KDE users to browse the
local network for SMB shares. Upon selecting a computer, the user
has to enter a password, if access to that computer is resticted.
While the URL of the SMB share correctly does not show the password
in Konqueror's address bar, this can be easily bypassed by copying
a shortcut to a certain share to the desktop.

The created desktop icon will be given a name (and address) following
this scheme:

smb://domain\username:password@server\sharename

The password can be read in plaintext by an attacker. So while a
colleague is getting some coffee or having a short nap at
his desk, it is most easy to get the password of his open
SMB shares.


~~~~~~~~
Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
Oct. 06: Discovery of the vulnerability
Oct. 10: Initial vendor reply
Nov. 10: Planed coordinated disclosure
Nov. 29: Final disclosure


~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~
Until a patch is available, just lock your computer every time
you leave it (should be done regardless of this issue).


EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-29 05:05:14 UTC
Confirmed. CC'ing maintainer and waiting for upstream.
Comment 2 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 04:44:54 UTC
Created attachment 45520 [details]
Draft Advisory
Comment 3 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 04:46:35 UTC
Ahem.  I thought security bugs like this were private - why is it being CCed to so many different people when I attached a patch?
Comment 4 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-08 04:57:31 UTC
Because it was public since November 29. Didn't include the reference initially as the web archive is a bit behind.

If it is a restricted bug it is clearly noted under the comment window and you're most likely CC'ed directly and not via the kde alias.
Comment 5 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:10:05 UTC
Created attachment 45522 [details, diff]
3.3.1 kdebase smb fix
Comment 6 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:10:41 UTC
Created attachment 45523 [details, diff]
3.3.1 kdelibs kthml fix
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:10:57 UTC
Created attachment 45524 [details, diff]
3.3.1 kdelibs kio fix
Comment 8 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:11:20 UTC
Created attachment 45525 [details, diff]
3.3.2 kdelibs kio fix
Comment 9 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:12:55 UTC
Created attachment 45526 [details, diff]
3.2.3 kdebase smb fix
Comment 10 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:13:21 UTC
Created attachment 45527 [details, diff]
3.2.3 kdelibs html fix
Comment 11 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:13:48 UTC
Created attachment 45528 [details, diff]
3.2.3 kdelibs kio fix
Comment 12 Caleb Tennis (RETIRED) gentoo-dev 2004-12-08 05:14:32 UTC
I will plan to address these patches once the kde folks say that they are happy with the extent of them.
Comment 13 Caleb Tennis (RETIRED) gentoo-dev 2004-12-09 06:46:17 UTC
The advisory has been made public.

kdelibs 3.3.2 already has the fix in portage, so no revision is necessary

kde{base,libs} 3.3.1 and 3.2.3 will receive the fixes in a little bit.

I will advise what to do next once I get the fixes in portage.
Comment 14 Caleb Tennis (RETIRED) gentoo-dev 2004-12-09 10:00:18 UTC
kdelibs and kdebase fixes should be in portage soon:

fixed versions:

kdelibs-3.2.3-r3
kdelibs-3.3.1-r1
kdelibs-3.3.2 (still unstable on all arches)

kdebase-3.2.3-r2
kdebase-3.3.1-r1
kdebase-3.3.2

I left the stable arches the same for the rev bump as the patches are very unobtrusive.

It looks to me like mips and ppc64 are the only arches without a stable solution to migrate to.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 06:05:33 UTC
Fixed with bug 73869, apparently ready for a GLSA
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2004-12-19 08:46:16 UTC
GLSA 200412-16