Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 73759 - kde-base/kdebase Konqueror FTP command injection
Summary: kde-base/kdebase Konqueror FTP command injection
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa] jaervosz
Depends on: 72750
  Show dependency tree
Reported: 2004-12-08 00:28 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2005-01-11 22:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

3.3.2 patch (post-3.2.3-kdelibs-kioslave.patch,549 bytes, patch)
2005-01-03 08:46 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.3.2 patch (post-3.3.2-kdelibs-kioslave.patch,663 bytes, patch)
2005-01-03 08:47 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff
3.2.3 patch (post-3.2.3-kdelibs-kioslave.patch,549 bytes, patch)
2005-01-03 08:47 UTC, Caleb Tennis (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-08 00:28:12 UTC
- ------------------------------------------------------------------
       7a69ezine Advisories                      7a69Adv#16
- ------------------------------------------------------------------                            [05/12/2004]
- ------------------------------------------------------------------

Title:        Konqueror FTP command injection

Author:       Albert Puigsech Galicia - <ripe 7a69ezine org>

Software:     Konqueror browser

Versions:     >= 3.3.1

Remote:       yes

Exploit:      yes

Severity:     Low-Medium

- ------------------------------------------------------------------

I. Introduction.

 Konqueror is a very multifuncional HTTP browser included on KDE base package. 
Like others browsers it can use more protocols, for example FTP. This 
aplication is usualy used to navigate through the filesystems.

II. Description.

 In order to access to a server FTP using Internet Explorer you write 
"ftp://ftpuser:ftppass@server/directory" in the directions's bar and then the 
navigator connects to the server and executes the following commands (and 
other that have omitted because they are not important for this stuff).

   USER ftpuser
   PASS ftppass
   CWD /directory/

 The security problem resides in which is posible to inject FTP commands on 
the URL adding at the code %0a followed by your injected commands. If you do 
"ftp://ftpuser:ftppass@server/directory%0asomecommand%0a" it will execute 
those commands.

   USER ftpuser
   PASS ftppass
   CWD /directory

 The last line is an erroneous command, but it's not a problem because 
'somecommand' has already been executed.

III. Exploit

 You need to deceive a user to go to your URL and then to introduce a valid 
user and password. So yes! The explotation also requires to apply social 
engineering. Then you can do a lot of things using this bug like create or 
delete files and directories, but probably, the most interesting thing is to 
download files. Its posible to do that using this URL;


 Then the server will connect to a.b.c.d and port e,f (see FTP RFC to 
translate the port number) and will send the file data.

IV. Patch

 Konqueror developers have been contacted, and patch will be avaliable soon.

V. Timeline

01/12/2004  -  Bug discovered
02/12/2004  -  KDE developers contacted
03/12/2004  -  Fast developers reply
03/12/2004  -  IE also afected, so we decide to publish the bug
05/12/2004  -  Advisor released
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-08 00:29:46 UTC
kde please verify and advise.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-09 11:27:09 UTC
kde is this fixed with 3.3.2?
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-30 10:01:59 UTC
Seems to be fixed in CVS now:
Comment 4 Caleb Tennis (RETIRED) gentoo-dev 2005-01-03 08:46:25 UTC
Hash: SHA1

KDE Security Advisory: ftp kioslave command injection
Original Release Date: 2005-01-01

0. References

1. Systems affected:

        All KDE releases up to including KDE 3.3.2.

2. Overview:

        KDE applications which use the ftp kioslave, e.g. Konqueror, allow
        remote attackers to execute arbitrary FTP commands via an ftp://
        URL that contains an URL-encoded newline ( %0a ) before the ftp
        command, which causes the commands to be inserted into the resulting
        FTP session. 

        Due to similiarities between the ftp and the SMTP protocol, this
        vulnerability allows to misuse the ftp slave to connect to a
        SMTP server and issue arbitrary commands, like sending an email.

3. Impact:

        The FTP kioslave can be misused to execute any ftp command on the
        server or be a vector for sending out unsolicited email.

4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.

5. Patch:

        Patch for KDE 3.2.3 is available from :

        a639b7b592f005e911c454a0a8c9c542  post-3.2.3-kdelibs-kioslave.patch

        Patch for KDE 3.3.2 is available from :

        fe67157b26a8cdf5bcfa1898cdf3b154  post-3.3.2-kdelibs-kioslave.patch

6. Time line and credits:

        26/12/2004 Public bug report filed against kio_ftp by Thiago Macieira
                   about being able to send email via kio_ftp CR/LF injection.
        26/12/2004 Patches developed by Thiago Macieira developed and applied
                   to CVS.
        01/01/2005 Advisory released.

Version: GnuPG v1.2.5 (GNU/Linux)

Comment 5 Caleb Tennis (RETIRED) gentoo-dev 2005-01-03 08:46:55 UTC
Created attachment 47493 [details, diff]
3.3.2 patch
Comment 6 Caleb Tennis (RETIRED) gentoo-dev 2005-01-03 08:47:22 UTC
Created attachment 47494 [details, diff]
3.3.2 patch
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2005-01-03 08:47:36 UTC
Created attachment 47495 [details, diff]
3.2.3 patch
Comment 8 Caleb Tennis (RETIRED) gentoo-dev 2005-01-03 08:56:46 UTC
Commited fix as:


Stable arches were left stable.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-03 12:03:47 UTC
Thx Caleb.

Handling stable marking on bug #72750
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-11 05:46:36 UTC
GLSA 200501-18
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-11 22:34:49 UTC
sparc stable closing with GLSA 200501-18