[UNIX] Multiple Vulnerabilities in Konversation

From: SecuriTeam (support_at_securiteam.com)
Date: 01/23/05

  • Next message: SecuriTeam: "[EXPL] fkey Symblink Vulnerability"
    To: list@securiteam.com
    Date: 23 Jan 2005 14:28:44 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vulnerabilities in Konversation
    ------------------------------------------------------------------------

    SUMMARY

    Multiple vulnerabilities have been discovered in Konversation, an IRC
    client for KDE.

    A flaw in the expansion of %-escaped variables makes that %-escaped
    variables in certain input strings will be inadvertently expanded too. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
    the name CAN-2005-0129 to this issue.

    Several perl scripts included with Konversation fail to properly handle
    command line arguments causing a command line injection vulnerability. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
    the name CAN-2005-0130 to this issue.

    Nick and password are confused in the quick connection dialog, so
    connecting with that dialog and filling in a password, would use that
    password as nick, and may inadvertently expose the password to others. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
    the name CAN-2005-0131 to this issue.

    DETAILS

    Vulnerable Systems:
     * Konversation versions up to and including 0.15

    Immune Systems:
     * Konversation version 0.15.1 or newer

    Impact:
    A user might be tricked to join a channel with a specially crafted channel
    name containing shell commands. If user runs a script in that channel it
    will result in an arbitrary command execution.

    If quick connect is used with a password, the password is used as nickname
    instead. As a result the password may be exposed to others.

    Patch:
    A patch for Konversation 0.15 is available from
    <ftp://ftp.kde.org/pub/kde/security_patches>
    ftp://ftp.kde.org/pub/kde/security_patches

    CVE Information:
     <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0129>
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0129
     <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0130>
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0130
     <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0131>
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0131

    Time line and credits:
    18/01/2005 Konversation developers informed by Wouter Coekaerts
    19/01/2005 Patches applied to KDE CVS
    19/01/2005 Konversation 0.15.1 released
    21/01/2005 KDE Security Advisory released

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:bastian@kde.org> Waldo
    Bastian.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] fkey Symblink Vulnerability"

    Relevant Pages

    • [EXPL] Multiple Vulnerabilities in Konversation (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities have been discovered in Konversation, ... One allows execution of arbitrary commands via the % ...
      (Securiteam)
    • [UNIX] OpenBB Multiple Vulnerabilities (board.php, search.php, member.php, post.php, myhome.php, ind
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... arbitrary command execution. ... snippet of code from one of the vulnerable scripts is presented ...
      (Securiteam)
    • [EXPL] I-Mall Commerce i-mall.cgi Arbitrary Command Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remote command execution vulnerability has been discovered in the I-Mall ... sub intro { ... chomp $host; ...
      (Securiteam)
    • [UNIX] Lukemftpd (Tnftpd) Multiple Vulnerabilities May Lead To Remote Code Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... structure tab to indicate if it's acceptable for a command to occur in OOB ... delivering of ABOR and STAT commands in OOB mode. ...
      (Securiteam)
    • [UNIX] Sudo Race Condition Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A race condition with the Sudo command pathname handling allows a local ... When a user runs a command via Sudo, the inode and device numbers of the ... listed in the sudoers file is stored in the variable safe_cmnd, ...
      (Securiteam)