Bugtraq mailing list archives
Kvt bug
From: core.lists.bugtraq () CORE-SDI COM (Sebastian Wain)
Date: Wed, 29 Sep 1999 16:01:03 -0300
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> In the xterm there is a feature to change the title of the window You can change the title of the window sending one of the escape codes of the xterm. (linux: man console_codes) By Example: ESC]2;This is my Xterm^G This escape code changes the xterm's title to "This is my Xterm" Obviously You can do the same using the kvt (Kde Virtual Terminal). But the kvt has a buffer overflow. If the size of the new title of the window is big enough then the kvt will do a core dump. This bug follows the "reverse exploit" line, if some program sends this escape code to the kvt. For Example, When someone connects to any ftp server and the server sends the Welcome Message, It will be easy to exploit this bug changing the Welcome Message (in the .message file) to one with this escape code and to cause a buffer overflow. Another example where someone can cause a buffer overflow in your machine is simply doing "cat hosts" where hosts may be a file that you received by mail containing the "change window escape code". This bug shows some of the kvt's security problems being exploited via a "reverse exploit" or a exploit sent directly to your terminal (if the attacker can write to your kvt) If this bug is exploited, then the attacker can obtain the privileges of the kvt's owner and execute some arbitrary code as this user. This bug was reported to the kde team by Larry Granroth in January. (http://bugs.kde.org/db/33/332.html) The new kde's version doesn't have this bug in the kconsole Kvt was replaced totally by kconsole. But the RedHat 6.0 installed with KDE has this bug. Cheers. Sebastian Wain swain () core-sdi com --- For a personal reply use swain () core-sdi com
Current thread:
- Kvt bug Sebastian Wain (Sep 29)
- FireWall-1 weakness Hugo.van.der.Kooij () CAIW NL (Sep 29)
- ActiveX Buffer Overruns Shane Hird (Sep 30)
- Re: Kvt bug Pioppo (Sep 30)
- Re: Kvt bug Chris Seawood (Sep 30)