Kvt bug

[core.lists.bugtraq () CORE-SDI COM (Sebastian Wain)]

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">

 


In the xterm there is a feature to change the title of the window
You can change the title of the window sending one of the escape codes of the
xterm.
(linux: man console_codes)

By Example:

ESC]2;This is my Xterm^G

This escape code changes the xterm's title to "This is my Xterm"

Obviously You can do the same using the kvt (Kde Virtual Terminal).
But the kvt has a buffer overflow. If the size of the new title of the
window is big enough then the kvt will do a core dump.

This bug follows the "reverse exploit" line, if some program sends
this escape code to the kvt.
For Example, When someone connects to any ftp server and the server sends
the Welcome Message, It will be easy to exploit this bug changing the
Welcome Message (in the .message file) to one with this escape code and
to cause a buffer overflow.

Another example where someone can cause a buffer overflow in your machine is
simply doing "cat hosts" where hosts may be a file that you received
by mail containing the "change window escape code".

This bug shows some of the kvt's security problems being exploited via
a "reverse exploit" or a exploit sent directly to your terminal
(if the attacker can write to your kvt)

If this bug is exploited, then the attacker can obtain the
privileges of the kvt's owner and execute some arbitrary code as this
user.

This bug was reported to the kde team by Larry Granroth in January.
(http://bugs.kde.org/db/33/332.html)

The new kde's version doesn't have this bug in the
kconsole
Kvt was replaced totally by kconsole.
But the RedHat 6.0 installed with KDE has this bug.

Cheers.

Sebastian Wain
swain () core-sdi com


--- For a personal reply use swain () core-sdi com