------------------------------------------------------------------------- | Password Disclosure for SMB Shares in KDE's Konqueror | ------------------------------------------------------------------------- Date: Nov. 29, 2004 Author: Daniel Fabian Product: KDE, Konquerer Vendor: KDE e. V. (http://www.kde.org) Vendor-Status: vendor contacted Vendor-Patches: none available so far Attack Vector: Local ~~~~~~~~ Synopsis ~~~~~~~~~~~~~~~~~~~~~~~~ The KDE program Konquerer allows for browsing SMB shares comfortably through the GUI. By placing a shortcut to an SMB share on KDE's desktop, an attacker can disclose his victim's password in plaintext. ~~~~~~~~ Affected Versions ~~~~~~~~~~~~~~~~~~~~~~~~ The problem has been successfully reproduced with KDE 3.2.1 on a standard SuSE 9.1 distribution. I have not been able to reproduce the issue on a KDE 3.3.0, however the developers of KDE claimed that there might be a related issue in both KDE 3.3 as well as the upcoming KDE 3.4. ~~~~~~~~ Vendor Status ~~~~~~~~~~~~~~~~~~~~~~~~ The vendor has been notified and was very cooperative. We set a coordinated disclosure date to Nov. 10th. However Nov. 10th passed, without a patch available. My mail for a new date has gone unanswered for more than two weeks now, so I suppose it is ok to release this advisory, very much so since this is not an issue that can be widely exploited anyway. ~~~~~~~~ Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~ Opening the URL "smb:/" in Konquerer allows KDE users to browse the local network for SMB shares. Upon selecting a computer, the user has to enter a password, if access to that computer is resticted. While the URL of the SMB share correctly does not show the password in Konqueror's address bar, this can be easily bypassed by copying a shortcut to a certain share to the desktop. The created desktop icon will be given a name (and address) following this scheme: smb://domain\username:password@server\sharename The password can be read in plaintext by an attacker. So while a colleague is getting some coffee or having a short nap at his desk, it is most easy to get the password of his open SMB shares. ~~~~~~~~ Timeline ~~~~~~~~~~~~~~~~~~~~~~~~ Oct. 06: Discovery of the vulnerability Oct. 10: Initial vendor reply Nov. 10: Planed coordinated disclosure Nov. 29: Final disclosure ~~~~~~~~ Counter Measures ~~~~~~~~~~~~~~~~~~~~~~~~ Until a patch is available, just lock your computer every time you leave it (should be done regardless of this issue). EOF Daniel Fabian / @2004 d.fabian at sec-consult dot com
Confirmed. CC'ing maintainer and waiting for upstream.
Created attachment 45520 [details] Draft Advisory
Ahem. I thought security bugs like this were private - why is it being CCed to so many different people when I attached a patch?
Because it was public since November 29. Didn't include the reference initially as the web archive is a bit behind. If it is a restricted bug it is clearly noted under the comment window and you're most likely CC'ed directly and not via the kde alias.
Created attachment 45522 [details, diff] 3.3.1 kdebase smb fix
Created attachment 45523 [details, diff] 3.3.1 kdelibs kthml fix
Created attachment 45524 [details, diff] 3.3.1 kdelibs kio fix
Created attachment 45525 [details, diff] 3.3.2 kdelibs kio fix
Created attachment 45526 [details, diff] 3.2.3 kdebase smb fix
Created attachment 45527 [details, diff] 3.2.3 kdelibs html fix
Created attachment 45528 [details, diff] 3.2.3 kdelibs kio fix
I will plan to address these patches once the kde folks say that they are happy with the extent of them.
The advisory has been made public. kdelibs 3.3.2 already has the fix in portage, so no revision is necessary kde{base,libs} 3.3.1 and 3.2.3 will receive the fixes in a little bit. I will advise what to do next once I get the fixes in portage.
kdelibs and kdebase fixes should be in portage soon: fixed versions: kdelibs-3.2.3-r3 kdelibs-3.3.1-r1 kdelibs-3.3.2 (still unstable on all arches) kdebase-3.2.3-r2 kdebase-3.3.1-r1 kdebase-3.3.2 I left the stable arches the same for the rev bump as the patches are very unobtrusive. It looks to me like mips and ppc64 are the only arches without a stable solution to migrate to.
Fixed with bug 73869, apparently ready for a GLSA
GLSA 200412-16