From dendler@idefense.com Tue Nov 12 04:55:37 2002 From: David Endler To: bugtraq@securityfocus.com Date: Mon, 11 Nov 2002 11:56:29 -0500 Subject: iDEFENSE Security Advisory 11.11.02: Buffer Overflow in KDE resLISa -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 11.11.02: http://www.idefense.com/advisory/11.11.02.txt Buffer Overflow in KDE resLISa November 11, 2002 I. BACKGROUND KDE is a popular open source graphical desktop environment for Unix workstations. Its kdenetwork module contains a LAN browsing implementation known as LISa, which is used to identify CIFS and other servers on the local network. LISa consists of two main modules: "lisa", a network daemon, and "resLISa", a restricted version of the lisa daemon created by Alexander Neundorf. LISa's lisa module can be accessed in KDE using the URL type "lan://"; the resLISa module can be accessed using the URL type "rlan://". II. DESCRIPTION Local exploitation of a buffer overflow within the resLISa module could allow an attacker to gain elevated privileges. The overflow exists in the parsing of the LOGNAME environment variable; an overly long value will overwrite the instruction pointer, thereby allowing an attacker to seize control of the executable. The following is a snapshot of the exploit in action: farmer@debian30:~$ ./reslisa_bof farmer@debian30:~$ NetManager::prepare: listen failed sh-2.05a$ id uid=1000(farmer) gid=1000(farmer) groups=1000(farmer) While the attacker's privileges have not been escalated, the following shows the creation of a raw socket that is accessible by the attacker: farmer@debian30:~$ lsof | grep raw sh 1413 farmer 3u raw 1432 00000000:0001->00000000:0000 st=07 farmer@debian30:~$ cd /proc/1413/fd/ farmer@debian30:/proc/1413/fd$ ls -l total 0 lrwx------ 1 farmer farmer 64 Oct 11 02:47 0 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 1 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 2 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 255 -> /dev/pts/3 lrwx------ 1 farmer farmer 64 Oct 11 02:47 3 -> socket:[1432] l-wx------ 1 farmer farmer 64 Oct 11 02:47 4 -> /dev/null lrwx------ 1 farmer farmer 64 Oct 11 02:47 5 -> socket:[1433] III. ANALYSIS Local attackers can use access to a raw socket to sniff network traffic and generate malicious traffic (such as network scans, ARP redirects, DNS poisoning). This can lead to further compromise of the target system as well as other neighboring systems, depending on network trust relationships. IV. DETECTION This vulnerability exists in all versions of resLISa included within kdenetwork packages found in versions of KDE before 3.0.5. To determine if a specific implementation is vulnerable issue the following commands: $ LOGNAME=`perl -e 'print "A"x5000'` $ `which reslisa` -c . If the application exits, printing "signal caught: 11, exiting", then it is vulnerable. The above example was performed on resLISa version 0.1.1 which is packaged and distributed with Debian 3.0r0. V. VENDOR FIX KDE 3.0.5 fixes this vulnerability, as well as a remotely exploitable buffer overflow found in LISa by Olaf Kirch of SuSE Linux AG. More information about the fix is available at http://www.kde.org/info/security. Individual Unix vendors should be providing updated KDE distributions on their appropriate download sites. Lisa 0.2.2, which also fixes these issues and compiles independent of KDE, can be downloaded at http://lisa-home.sourceforge.net/download.html. VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2002-1247 to this issue. VII. DISCLOSURE TIMELINE 10/02/2002 Issue disclosed to iDEFENSE 10/31/2002 Maintainer, Alexander Neundorf (neundorf@kde.org), and Linux Security list (vendor-sec@lst.de) notified 10/31/2002 Response received from Alexander Neundorf 11/01/2002 iDEFENSE clients notified 11/11/2002 Coordinated public disclosure VIII. CREDIT Texonet (http://www.texonet.com) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world ^× from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPcwdxUrdNYRLCswqEQLB3wCfauM7/75ebKpsA70fmHN2I1t2fGMAoNra anqP0AHYTOkh4K5MJnsLXywG =Dx3m - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPc/eA0rdNYRLCswqEQJeYQCfYNI5R0dKp2LIHZqNZGgkluz33yYAoIFD bd5X67odGkaMxcMiWgPIgQqP =7g+2 -----END PGP SIGNATURE-----