6095854 2001-02-14 14:46 +0100  /75 rader/ Marc Roessler <marc@TENTACLE.FRANKEN.DE>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-14  19:39  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: marc@TENTACLE.FRANKEN.DE
Mottagare: Bugtraq (import) <15452>
Ärende: Security hole in kicq
------------------------------------------------------------
From: Marc Roessler <marc@TENTACLE.FRANKEN.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010214144610.A436@tentacle.franken.de>

Hi all,

there is some security related problem with kicq.
The authors were contacted and provided with a suggestion for a patch
which should be available soon.
I did not find anything on the archive on this, so here we go.

kicq is a free icq client clone available at
http://kicq.sourceforge.net/.  Unfortunately received (untrusted!)
URLs are passed to the specified webbrowser (standard is kfmclient)
without any sanity checking using system().  The only user action
needed for this is to click "Open" in a popup menu.


I tried with version 1.0.0, it is vulnerable for sure.
Other versions (such as 2.0.0b1) seem to be vulerable as well,
though i did not compile them to try.



Details:

The problem is in file kicq/utils/kwebbrowser.cpp. For example:

	system(QString("kfmclient openURL '" + URL + "' &").latin1());

Other browsers (netscape, lynx, wget) are called similar, this needs
to need to be patched as well.



Demonstration/Exploit:

Exploiting is trivial.  By adding shell metacharacters such as "'",
"&" and ";" it is possible to send commands to the shell. If done
creatively, the webbrowser will come up nevertheless and the user
will not become suspicious.

The worst part is that the shell stuff can be hidden from the
user. The URL display field will display 123 characters (number may
vary). If the URL is longer only the last 123 characters will be
visible. Spaces count as characters as well!

The following URL will be visible as "http://www.test.com/" to the
user: [dots are to be replaced by spaces]
---
http://www.test.com/test.html'&xterm&'truehttp://www.test.com..............................................................
--- When opened by choosing "Open URL" in the popup menu, kfmclient
will go and fetch http://www.test.com/test.html, while an xterm pops
up on the desktop.



Patch:

The obvious solution is to replace the system() stuff by execve or
one of its front-ends, making sure spaces in the URL will not be
interpreted as argv delimiters, otherwise an attacker may pass
arbitrary arguments to the browser.  Also it should be checked that
the first character of the URL is not "-" ..  Think about what an URL
"-display attacker.com:0" will do to lynx..  This will suffice for
the moment, though on the long run the 123+ character feature should
probably be fixed.  Probably it is a good idea to remove the "Open
URL" feature altogether, cut-n-paste is not a problem any more with
most GUIs and 'evil' URLs might be spotted more easily if passed
manually.


Greetings
 Marc Roessler
(6095854) --------------------------------(Ombruten)
Kommentar i text 6095879 av Hedda (Snäll, trevlig och snygg)
Kommentar i text 6101747 av Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL>
6101747 2001-02-14 21:56 +0100  /15 rader/ Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-15  21:25  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: w.r.kamphuis@STUDENT.UTWENTE.NL
Mottagare: Bugtraq (import) <15461>
Kommentar till text 6095854 av Marc Roessler <marc@TENTACLE.FRANKEN.DE>
Ärende: Re: Security hole in kicq
------------------------------------------------------------
From: Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0102142153470.3588-100000@wit393303.student.utwente.nl>

> I tried with version 1.0.0, it is vulnerable for sure.
> Other versions (such as 2.0.0b1) seem to be vulerable as well,
> though i did not compile them to try.
>
one little try shows that licq (http://licq.org) is vulerable too however the
complete url will be visible to the user.

greets,
  Wolter
(6101747) ------------------------------------------
Kommentar i text 6102770 av Eric Warmenhoven <warmenhoven@YAHOO.COM>
6102770 2001-02-15 14:18 -0800  /20 rader/ Eric Warmenhoven <warmenhoven@YAHOO.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-16  03:47  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: warmenhoven@YAHOO.COM
Mottagare: Bugtraq (import) <15487>
Kommentar till text 6101747 av Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL>
Ärende: Re: Security hole in kicq
------------------------------------------------------------
From: Eric Warmenhoven <warmenhoven@YAHOO.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010215141849.A15591@lsanca1-ar4-058-092.dsl.gtei.net>

> > I tried with version 1.0.0, it is vulnerable for sure.
> > Other versions (such as 2.0.0b1) seem to be vulerable as well,
> > though i did not compile them to try.
> >
> one little try shows that licq (http://licq.org) is vulerable too however the
> complete url will be visible to the user.
>

Kaim (http://sourceforge.net/projects/kaim) is also similarly
vulnerable; though because it's an AIM client the URL has to be
crafted as an HTML link.  Kaim doesn't show you the URL before you
click on it, though it does let you copy it without going to it.

Eric
(6102770) --------------------------------(Ombruten)