[UNIX] rlogin.protocol and telnet.protocol URL KIO Vulnerability

From: support@securiteam.com
Date: 11/14/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 14 Nov 2002 16:33:48 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  rlogin.protocol and telnet.protocol URL KIO Vulnerability
------------------------------------------------------------------------

SUMMARY

KDE provides support for various network protocols via the KIO subsystem.
These protocols are implemented with text files containing the extension
protocol, normally stored in the shared/services/ subdirectory under the
KDE installation root.

The implementation of the rlogin protocol in all of the affected systems,
and the implementation of the telnet protocol in affected KDE 2 systems,
allows a carefully crafted URL in an HTML page, HTML email or other
KIO-enabled application to execute arbitrary commands on the system using
the victim's account on the vulnerable machine.

DETAILS

Vulnerable systems:
All KDE 2 releases starting with KDE 2.1 and all KDE 3 releases (up to
3.0.4 and 3.1rc3).

Impact:
The vulnerability potentially enables local or remote attackers to
compromise a victim's account and execute arbitrary commands on the local
system with the victim's privileges, such as erasing files, accessing data
or installing Trojans.

Solution:
The vulnerability has been fixed in KDE 3.0.5 and a patch is available for
KDE 3.0.4. For affected KDE 3 systems, we recommend upgrading to KDE
3.0.5, applying the patch provided or disabling the rlogin protocol.

For affected KDE 2 systems, we recommend disabling both the rlogin and
telnet KIO protocols.

The rlogin protocol vulnerability can be disabled by deleting any
rlogin.protocol files on the system and restarting the active KDE
sessions. The file is usually installed in
[kdeprefix]/share/services/rlogin.protocol ([kdeprefix] is typically
/opt/kde3 or /usr), but copies may exist elsewhere, such as in users'
[kdehome]/share/services directory ([kdehome] is typically the .kde
directory in a user's home directory).

The telnet protocol vulnerability can be similarly disabled in affected
KDE 2 systems.

kdelibs-3.0.5 can be downloaded from:
<http://download.kde.org/stable/3.0.5/src/kdelibs-3.0.5.tar.bz2>
http://download.kde.org/stable/3.0.5/src/kdelibs-3.0.5.tar.bz2 :
ff22bd58b91ac34e476c308d345421aa kdelibs-3.0.5.tar.bz2

Some vendors are building binary packages of kdelibs-3.0.5. Please check
your vendors website and the KDE 3.0.5 information page (
<http://www.kde.org/info/3.0.5.html> http://ww.kde.org/info/3.0.5.html)
periodically for availability.

Patch:
Patches are available for KDE 3.0.x from the KDE FTP server (
<ftp://ftp.kde.org/pub/kde/security_patches/>
ftp://ftp.kde.org/pub/kde/security_patches/):
5625501819f09510d542142aea7b85ab post-3.0.4-kdelibs-kio-misc.diff

ADDITIONAL INFORMATION

The original advisory can be found at:
 <http://www.kde.org/info/security/advisory-20021111-1.txt>
http://www.kde.org/info/security/advisory-20021111-1.txt.

The information has been provided by <mailto:pour@mieterra.com> Andreas
Pour.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages