The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.

Karol Wiesek and Greg MacManus reported via iDEFENSE that the Opera web browser contains a flaw in the handling of certain URIs. When presented with these URIs, Opera would invoke external commands to process them after some validation. However, if the hostname component of a URI begins with a `-', it may be treated as an option by an external command. This could have undesirable side-effects, from denial-of-service to code execution. The impact is very dependent on local configuration.

After the iDEFENSE advisory was published, the KDE team discovered similar problems in KDE's URI handlers.

New kdelibs packages are available for Slackware 9.0, 9.1 and
-current to fix security issues with URI handling.

iDEFENSE identified a vulnerability in the Opera web browser that could be used by remote attackers to create or truncate arbitrary files on the victims machine. The KDE team discovered that a similar vulnerability exists in KDE.

A remote attacker could entice a user to open a carefully crafted telnet URI which may either create or truncate a file in the victims home directory. In KDE 3.2 and later versions the user is first explicitly asked to confirm the opening of the telnet URI.

The remote host is affected by the vulnerability described in GLSA-200405-11 (KDE URI Handler Vulnerabilities)

    The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-'     at the beginning of the hostname passed. By crafting a malicious URI and     entice an user to click on it, it is possible to pass an option to the     programs started by the handlers (typically telnet, kmail...).
  Impact :

    If the attacker controls the options passed to the URI handling programs,     it becomes possible for example to overwrite arbitrary files (possibly     leading to denial of service), to open kmail on an attacker-controlled     remote display or with an alternate configuration file (possibly leading to     control of the user account).
  Workaround :

    There is no known workaround at this time. All users are advised to upgrade     to a corrected version of kdelibs.

A vulnerability in the Opera web browser was identified by iDEFENSE;
the same type of vulnerability exists in KDE. The telnet, rlogin, ssh, and mailto URI handlers do not check for '-' at the beginning of the hostname passed, which makes it possible to pass an option to the programs started by the handlers. This can allow remote attackers to create or truncate arbitrary files.

The updated packages contain patches provided by the KDE team to fix this problem.

The remote host is missing the patch for the advisory SuSE-SA:2003:014 (kdelibs/kdelibs3).


The kdelibs3 (kdelibs for SLES7 based products) package is a core package for the K desktop environment (KDE). The URI handler of the kdelibs3 and kdelibs class library contains a flaw which allows remote attackers to create arbitrary files as the user utilizing the kdelibs3/kdelibs package.
Affected are applications which use the kdelibs3/kdelibs URI handler such as Konqueror or Kmail.
The original KDE advisory can be found at http://www.kde.org/info/security/advisory-20040517-1.html


Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command 'rpm -Fhv file.rpm' to apply the update.

iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files.
The KDE team has found that a similar vulnerability exists in KDE.

A flaw in the telnet URL handler can allow options to be passed to the telnet program which can be used to allow file creation or overwriting. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file in the victims home directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0411 to this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated kdelibs packages that fix telnet URI handler and mailto URI handler file vulnerabilities are now available.

The kdelibs packages include libraries for the K Desktop Environment.

KDE Libraries include: kdecore (KDE core library), kdeui (user interface), kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking), kspell (spelling checker), jscript (JavaScript), kab (addressbook), kimgio (image manipulation).
Konqueror is a file manager and Web browser for the K Desktop Environment (KDE).

iDEFENSE identified a vulnerability in the Opera web browser that could allow remote attackers to create or truncate arbitrary files.
The KDE team has found two similar vulnerabilities that also exist in KDE.

A flaw in the telnet URI handler may allow options to be passed to the telnet program, resulting in creation or replacement of files. An attacker could create a carefully crafted link such that when opened by a victim it creates or overwrites a file with the victim's permissions.

A flaw in the mailto URI handler may allow options to be passed to the kmail program. These options could cause kmail to write to the file system or to run on a remote X display. An attacker could create a carefully crafted link in such a way that access may be obtained to run arbitrary code as the victim.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0411 to these issues.

Note: Red Hat Enterprise Linux 2.1 is only vulnerable to the mailto URI flaw as a previous update shipped without a telnet.protocol file.

All users of KDE are advised to upgrade to these erratum packages, which contain a backported patch for these issues.

ID	Name	Product	Family	Severity
37850	FreeBSD : URI handler vulnerabilities in several browsers (df333ede-a8ce-11d8-9c6d-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	high
18753	Slackware 9.0 / 9.1 / current : kdelibs (SSA:2004-238-01)	Nessus	Slackware Local Security Checks	high
15355	Debian DSA-518-1 : kdelibs - unsanitised input	Nessus	Debian Local Security Checks	high
14497	GLSA-200405-11 : KDE URI Handler Vulnerabilities	Nessus	Gentoo Local Security Checks	high
14146	Mandrake Linux Security Advisory : kdelibs (MDKSA-2004:047)	Nessus	Mandriva Local Security Checks	high
13785	SuSE-SA:2003:014: kdelibs/kdelibs3	Nessus	SuSE Local Security Checks	high
13700	Fedora Core 2 : kdelibs-3.2.2-6 (2004-122)	Nessus	Fedora Local Security Checks	high
13699	Fedora Core 1 : kdelibs-3.1.4-5 (2004-121)	Nessus	Fedora Local Security Checks	high
12499	RHEL 2.1 / 3 : kdelibs (RHSA-2004:222)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2004-0411

critical

Tenable Plugins

high

high

high

high

high

high

high

high

high