[UNIX] Buffer Overflow in KDE resLISa

From: support@securiteam.com
Date: 11/12/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 12 Nov 2002 09:53:20 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Buffer Overflow in KDE resLISa
------------------------------------------------------------------------

SUMMARY

KDE is a popular open source graphical desktop environment for Unix
workstations. Its kdenetwork module contains a LAN browsing implementation
known as LISa, which is used to identify CIFS and other servers on the
local network. LISa consists of two main modules: "lisa", a network
daemon, and "resLISa", a restricted version of the lisa daemon created by
Alexander Neundorf. LISa's lisa module can be accessed in KDE using the
URL type "lan://"; the resLISa module can be accessed using the URL type
"rlan://". A buffer overlfow vulnerability in the product allows attackers
to gain elevated privileges.

DETAILS

Local exploitation of a buffer overflow within the resLISa module could
allow an attacker to gain elevated privileges. The overflow exists in the
parsing of the LOGNAME environment variable; an overly long value will
overwrite the instruction pointer, thereby allowing an attacker to seize
control of the executable. The following is a snapshot of the exploit in
action:

farmer@debian30:~$ ./reslisa_bof
farmer@debian30:~$ NetManager::prepare: listen failed
sh-2.05a$ id
uid=1000(farmer) gid=1000(farmer) groups=1000(farmer)</I?

While the attacker's privileges have not been escalated, the following
shows the creation of a raw socket that is accessible by the attacker:

farmer@debian30:~$ lsof | grep raw
sh 1413 farmer 3u raw 1432 00000000:0001->00000000:0000 st=07

farmer@debian30:~$ cd /proc/1413/fd/
farmer@debian30:/proc/1413/fd$ ls -l
total 0
lrwx------ 1 farmer farmer 64 Oct 11 02:47 0 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 1 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 2 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 255 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 3 -> socket:[1432]
l-wx------ 1 farmer farmer 64 Oct 11 02:47 4 -> /dev/null
lrwx------ 1 farmer farmer 64 Oct 11 02:47 5 -> socket:[1433]

Analysis:
Local attackers can use access to a raw socket to sniff network traffic
and generate malicious traffic (such as network scans, ARP redirects, DNS
poisoning). This can lead to further compromise of the target system as
well as other neighboring systems, depending on network trust
relationships.

Detection:
This vulnerability exists in all versions of resLISa included within
kdenetwork packages found in versions of KDE before 3.0.5. To determine if
a specific implementation is vulnerable issue the following commands:
 
$ LOGNAME=`perl -e 'print "A"x5000'`
$ `which reslisa` -c .
 
If the application exits, printing "signal caught: 11, exiting", then it
is vulnerable. The above example was performed on resLISa version 0.1.1
which is packaged and distributed with Debian 3.0r0.

Vendor fix:
KDE 3.0.5 fixes this vulnerability, as well as a remotely exploitable
buffer overflow found in LISa by Olaf Kirch of SuSE Linux AG. More
information about the fix is available at
<http://www.kde.org/info/security> http://www.kde.org/info/security.
Individual Unix vendors should be providing updated KDE distributions on
their appropriate download sites.

Lisa 0.2.2, which also fixes these issues and compiles independent of KDE,
can be downloaded at <http://lisa-home.sourceforge.net/download.html>
http://lisa-home.sourceforge.net/download.html.

Disclosure timeline:
10/02/2002 Issue disclosed to iDEFENSE
10/31/2002 Maintainer, Alexander Neundorf (neundorf@kde.org), and Linux
Security list (vendor-sec@lst.de) notified
10/31/2002 Response received from Alexander Neundorf
11/01/2002 iDEFENSE clients notified
11/11/2002 Coordinated public disclosure

ADDITIONAL INFORMATION

The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE, the vulnerability was discovered by Texonet.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages