84021 2002-11-12 00:22 /158 rader/ David Endler <dendler@idefense.com>
Importerad: 2002-11-12 00:22 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: dendler@idefense.com
Mottagare: Bugtraq (import) <2341>
Ärende: iDEFENSE Security Advisory 11.11.02: Buffer Overflow in KDE resLISa
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 11.11.02:
http://www.idefense.com/advisory/11.11.02.txt
Buffer Overflow in KDE resLISa
November 11, 2002
I. BACKGROUND
KDE is a popular open source graphical desktop environment for Unix
workstations. Its kdenetwork module contains a LAN browsing
implementation known as LISa, which is used to identify CIFS and
other servers on the local network. LISa consists of two main
modules: "lisa", a network daemon, and "resLISa", a restricted
version of the lisa daemon created by Alexander Neundorf. LISa's lisa
module can be accessed in KDE using the URL type "lan://"; the
resLISa module can be accessed using the URL type "rlan://".
II. DESCRIPTION
Local exploitation of a buffer overflow within the resLISa module
could allow an attacker to gain elevated privileges. The overflow
exists in the parsing of the LOGNAME environment variable; an overly
long value will overwrite the instruction pointer, thereby allowing
an attacker to seize control of the executable. The following is a
snapshot of the exploit in action:
farmer@debian30:~$ ./reslisa_bof
farmer@debian30:~$ NetManager::prepare: listen failed
sh-2.05a$ id
uid=1000(farmer) gid=1000(farmer) groups=1000(farmer)
While the attacker's privileges have not been escalated, the
following shows the creation of a raw socket that is accessible by
the attacker:
farmer@debian30:~$ lsof | grep raw
sh 1413 farmer 3u raw 1432 00000000:0001->00000000:0000 st=07
farmer@debian30:~$ cd /proc/1413/fd/
farmer@debian30:/proc/1413/fd$ ls -l
total 0
lrwx------ 1 farmer farmer 64 Oct 11 02:47 0 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 1 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 2 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 255 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 3 -> socket:[1432]
l-wx------ 1 farmer farmer 64 Oct 11 02:47 4 -> /dev/null
lrwx------ 1 farmer farmer 64 Oct 11 02:47 5 -> socket:[1433]
III. ANALYSIS
Local attackers can use access to a raw socket to sniff network
traffic and generate malicious traffic (such as network scans, ARP
redirects, DNS poisoning). This can lead to further compromise of the
target system as well as other neighboring systems, depending on
network trust relationships.
IV. DETECTION
This vulnerability exists in all versions of resLISa included within
kdenetwork packages found in versions of KDE before 3.0.5. To
determine if a specific implementation is vulnerable issue the
following commands:
$ LOGNAME=`perl -e 'print "A"x5000'`
$ `which reslisa` -c .
If the application exits, printing "signal caught: 11, exiting", then
it is vulnerable. The above example was performed on resLISa version
0.1.1 which is packaged and distributed with Debian 3.0r0.
V. VENDOR FIX
KDE 3.0.5 fixes this vulnerability, as well as a remotely exploitable
buffer overflow found in LISa by Olaf Kirch of SuSE Linux AG. More
information about the fix is available at
http://www.kde.org/info/security. Individual Unix vendors should be
providing updated KDE distributions on their appropriate download
sites.
Lisa 0.2.2, which also fixes these issues and compiles independent of
KDE, can be downloaded at
http://lisa-home.sourceforge.net/download.html.
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1247 to this issue.
VII. DISCLOSURE TIMELINE
10/02/2002 Issue disclosed to iDEFENSE
10/31/2002 Maintainer, Alexander Neundorf (neundorf@kde.org),
and Linux Security list (vendor-sec@lst.de) notified
10/31/2002 Response received from Alexander Neundorf
11/01/2002 iDEFENSE clients notified
11/11/2002 Coordinated public disclosure
VIII. CREDIT
Texonet (http://www.texonet.com) discovered this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.
- -dave
David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071
dendler@idefense.com
www.idefense.com
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPcwdxUrdNYRLCswqEQLB3wCfauM7/75ebKpsA70fmHN2I1t2fGMAoNra
anqP0AHYTOkh4K5MJnsLXywG
=Dx3m
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
iQA/AwUBPc/eA0rdNYRLCswqEQJeYQCfYNI5R0dKp2LIHZqNZGgkluz33yYAoIFD
bd5X67odGkaMxcMiWgPIgQqP
=7g+2
-----END PGP SIGNATURE-----
(84021) /David Endler <dendler@idefense.com>/-------
84172 2002-11-12 20:58 /107 rader/ Andreas Pour <pour@kde.org>
Importerad: 2002-11-12 20:58 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2354>
Ärende: KDE Security Advisory: resLISa / LISa Vulnerabilities
------------------------------------------------------------
KDE Security Advisory: resLISa / LISa Vulnerabilities
Original Release Date: 2002-11-11
URL: http://www.kde.org/info/security/advisory-20021111-2.txt
0. References
iDEFENSE Security Advisory 11.11.02
(http://www.idefense.com/advisory/11.11.02.txt).
1. Systems affected:
All KDE 2 releases from KDE 2.1 and all KDE 3 releases (up to
3.0.4 and 3.1rc3).
2. Overview:
The kdenetwork module of KDE contains a LAN browsing
implementation known as LISa, which is used to identify CIFS
and other servers on the local network. LISa consists of two
main modules, "lisa", a network daemon, and "reslisa", a
restricted version of the lisa daemon. LISa can be accessed
in KDE using the URL type "lan://", and resLISa using the URL
type "rlan://".
LISA will obtain information on the local network by looking
for an existing LISA server on other local hosts, and if
there is one, retrieves the list of servers from it. If
there is no other LISA server, it will scan the network and
create as server list.
The browser daemon 'lisa' is typically configured to start as
a system service at system boot time.
resLISa is a restricted version of LISa which uses a
configuration file to identify hosts on the network rather
than scanning for them. resLISa is typically installed SUID
root and started by a user to browse the confitured network
servers. However, it does not directly communicate with
servers on the network.
3. Impact:
The resLISa daemon contains a buffer overflow vulnerability
which potentially enables any local user to obtain access to
a raw socket if 'reslisa' is installed SUID root. This
vulnerability was discovered by the iDEFENSE security team
and Texonet.
The lisa daemon contains a buffer overflow vulnerability
which potentially enables any local user, as well any any
remote attacker on the LAN who is able to gain control of the
LISa port (7741 by default), to obtain root privileges.
In addition, a remote attacker potentially may be able to
gain access to a victim's account by using an "lan://" URL in
an HTML page or via another KDE application. These
vulnerabilities were discovered by Olaf Kirch at SuSE Linux
AG.
4. Solution:
The vulnerabilities have been fixed in KDE 3.0.5 and patches
are available for those using KDE 3.0.4. We recommend either
upgrading to KDE 3.0.5, applying the patches or disabling the
resLISa and LISa services.
The resLISa vulnerability can be disabled by unsetting the
SUID bit on resLISa. Typically this is accomplished by
executing the command:
chmod a-s `which reslisa`
Note that this will prevent users from using the resLISa
service.
The first LISa vulnerability can be disabled by disabling the
LISa service. Typically this is accomplished by executing
the commands:
/etc/init.d/lisa stop
rm /etc/init.d/lisa `which lisa`
or
rpm -e kdenetwork-lisa
However, the appropriate commands depend on your vendor's OS
and how the various components of kdenetwork were packaged.
The second LISa vulnerability can be disabled by deleting any
lan.protocol and rlan.protocol files on the system and
restarting the active KDE sessions. The files are usually
installed in [kdeprefix]/share/services/lan.protocol and
[kdeprefix]/share/services/rlan.protocol ([kdeprefix] is
typically /opt/kde3 or /usr), but copies may exist elsewhere,
such as in users' [kdehome]/share/services directory
([kdehome] is typically the .kde directory in a user's home
directory).
kdenetwork-3.0.5 can be downloaded from
http://download.kde.org/stable/3.0.5/src/ :
504032bceeef0dfa9ff02aed0faf795d kdenetwork-3.0.5.tar.bz2
Some vendors are building binary packages of
kdenetwork-3.0.5. Please check your vendors website and the
KDE 3.0.5 information page
(http://ww.kde.org/info/3.0.5.html) periodically for
availability.
5. Patch:
Patches are available for KDE 3.0.4 from the KDE FTP server
(ftp://ftp.kde.org/pub/kde/security_patches/):
5b2334c689ae9412475f6b653a107401
post-3.0.4-kdenetwork-lanbrowsing.diff
(84172) /Andreas Pour <pour@kde.org>/-----(Ombruten)