6095854 2001-02-14 14:46 +0100 /75 rader/ Marc Roessler <marc@TENTACLE.FRANKEN.DE> Sänt av: joel@lysator.liu.se Importerad: 2001-02-14 19:39 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: marc@TENTACLE.FRANKEN.DE Mottagare: Bugtraq (import) <15452> Ärende: Security hole in kicq ------------------------------------------------------------ From: Marc Roessler <marc@TENTACLE.FRANKEN.DE> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010214144610.A436@tentacle.franken.de> Hi all, there is some security related problem with kicq. The authors were contacted and provided with a suggestion for a patch which should be available soon. I did not find anything on the archive on this, so here we go. kicq is a free icq client clone available at http://kicq.sourceforge.net/. Unfortunately received (untrusted!) URLs are passed to the specified webbrowser (standard is kfmclient) without any sanity checking using system(). The only user action needed for this is to click "Open" in a popup menu. I tried with version 1.0.0, it is vulnerable for sure. Other versions (such as 2.0.0b1) seem to be vulerable as well, though i did not compile them to try. Details: The problem is in file kicq/utils/kwebbrowser.cpp. For example: system(QString("kfmclient openURL '" + URL + "' &").latin1()); Other browsers (netscape, lynx, wget) are called similar, this needs to need to be patched as well. Demonstration/Exploit: Exploiting is trivial. By adding shell metacharacters such as "'", "&" and ";" it is possible to send commands to the shell. If done creatively, the webbrowser will come up nevertheless and the user will not become suspicious. The worst part is that the shell stuff can be hidden from the user. The URL display field will display 123 characters (number may vary). If the URL is longer only the last 123 characters will be visible. Spaces count as characters as well! The following URL will be visible as "http://www.test.com/" to the user: [dots are to be replaced by spaces] --- http://www.test.com/test.html'&xterm&'truehttp://www.test.com.............................................................. --- When opened by choosing "Open URL" in the popup menu, kfmclient will go and fetch http://www.test.com/test.html, while an xterm pops up on the desktop. Patch: The obvious solution is to replace the system() stuff by execve or one of its front-ends, making sure spaces in the URL will not be interpreted as argv delimiters, otherwise an attacker may pass arbitrary arguments to the browser. Also it should be checked that the first character of the URL is not "-" .. Think about what an URL "-display attacker.com:0" will do to lynx.. This will suffice for the moment, though on the long run the 123+ character feature should probably be fixed. Probably it is a good idea to remove the "Open URL" feature altogether, cut-n-paste is not a problem any more with most GUIs and 'evil' URLs might be spotted more easily if passed manually. Greetings Marc Roessler (6095854) --------------------------------(Ombruten) Kommentar i text 6095879 av Hedda (Snäll, trevlig och snygg) Kommentar i text 6101747 av Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL> 6101747 2001-02-14 21:56 +0100 /15 rader/ Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL> Sänt av: joel@lysator.liu.se Importerad: 2001-02-15 21:25 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: w.r.kamphuis@STUDENT.UTWENTE.NL Mottagare: Bugtraq (import) <15461> Kommentar till text 6095854 av Marc Roessler <marc@TENTACLE.FRANKEN.DE> Ärende: Re: Security hole in kicq ------------------------------------------------------------ From: Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.21.0102142153470.3588-100000@wit393303.student.utwente.nl> > I tried with version 1.0.0, it is vulnerable for sure. > Other versions (such as 2.0.0b1) seem to be vulerable as well, > though i did not compile them to try. > one little try shows that licq (http://licq.org) is vulerable too however the complete url will be visible to the user. greets, Wolter (6101747) ------------------------------------------ Kommentar i text 6102770 av Eric Warmenhoven <warmenhoven@YAHOO.COM> 6102770 2001-02-15 14:18 -0800 /20 rader/ Eric Warmenhoven <warmenhoven@YAHOO.COM> Sänt av: joel@lysator.liu.se Importerad: 2001-02-16 03:47 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: warmenhoven@YAHOO.COM Mottagare: Bugtraq (import) <15487> Kommentar till text 6101747 av Wolter Kamphuis <w.r.kamphuis@STUDENT.UTWENTE.NL> Ärende: Re: Security hole in kicq ------------------------------------------------------------ From: Eric Warmenhoven <warmenhoven@YAHOO.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20010215141849.A15591@lsanca1-ar4-058-092.dsl.gtei.net> > > I tried with version 1.0.0, it is vulnerable for sure. > > Other versions (such as 2.0.0b1) seem to be vulerable as well, > > though i did not compile them to try. > > > one little try shows that licq (http://licq.org) is vulerable too however the > complete url will be visible to the user. > Kaim (http://sourceforge.net/projects/kaim) is also similarly vulnerable; though because it's an AIM client the URL has to be crafted as an HTML link. Kaim doesn't show you the URL before you click on it, though it does let you copy it without going to it. Eric (6102770) --------------------------------(Ombruten)