Published:
14 November 2002
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.633 -- KDE Security Advisory
rlogin.protocol and telnet.protocol URL KIO Vulnerability
14 November 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: KIO Subsystem
Vendor: KDE
Impact: Execute Arbitrary Code/Commands
Access Required: Remote
Comment: The PGP signature on the original advisory could not be
verified, however the original document can be found at
http://www.kde.org/info/security/advisory-20021111-1.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
KDE Security Advisory: rlogin.protocol and telnet.protocol URL KIO Vulnerability
Original Release Date: 2002-11-11
URL: http://www.kde.org/info/security/advisory-20021111-1.txt
0. References
None.
1. Systems affected:
All KDE 2 releases starting with KDE 2.1 and all KDE 3 releases
(up to 3.0.4 and 3.1rc3).
2. Overview:
KDE provides support for various network protocols via the KIO
subsystem. These protocols are implemented with text files
containing the extension .protocol, normally stored in the
shared/services/ subdirectory under the KDE installation root.
The implementation of the rlogin protocol in all of the affected
systems, and the implementation of the telnet protocol in affected
KDE 2 systems, allows a carefully crafted URL in an HTML page,
HTML email or other KIO-enabled application to execute arbitrary
commands on the system using the victim's account on the
vulnerable machine.
3. Impact:
The vulnerability potentially enables local or remote attackers
to compromise a victim's account and execute arbitrary commands
on the local system with the victim's privileges, such as erasing
files, accessing data or installing trojans.
4. Solution:
The vulnerability has been fixed in KDE 3.0.5 and a patch is
available for KDE 3.0.4. For affected KDE 3 systems, we recommend
upgrading to KDE 3.0.5, applying the patch provided or disabling
the rlogin protocol.
For affected KDE 2 systems, we recommend disabling both the rlogin
and telnet KIO protocols.
The rlogin protocol vulnerability can be disabled by deleting
any rlogin.protocol files on the system and restarting the active
KDE sessions. The file is usually installed in
[kdeprefix]/share/services/rlogin.protocol ([kdeprefix] is typically
/opt/kde3 or /usr), but copies may exist elsewhere, such as in
users' [kdehome]/share/services directory ([kdehome] is typically
the .kde directory in a user's home directory).
The telnet protocol vulnerability can be similary disabled in
affected KDE 2 systems.
kdelibs-3.0.5 can be downloaded from
http://download.kde.org/stable/3.0.5/src/kdelibs-3.0.5.tar.bz2 :
ff22bd58b91ac34e476c308d345421aa kdelibs-3.0.5.tar.bz2
Some vendors are building binary packages of kdelibs-3.0.5.
Please check your vendors website and the KDE 3.0.5 information page
(http://ww.kde.org/info/3.0.5.html) periodically for availability.
5. Patch:
Patches are available for KDE 3.0.x from the KDE FTP server
(ftp://ftp.kde.org/pub/kde/security_patches/):
5625501819f09510d542142aea7b85ab post-3.0.4-kdelibs-kio-misc.diff
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPdONmyh9+71yA2DNAQFWdwP/e0j5EAJM8uOj2j/t52tQJLxYG6Nz98dN
LakcWULeHPfGCDoGoqbULELMQoYxacdTceshRiLnzWVshxKNjFwSftZq43nOZpco
mWBtdezZIdFosqXf+9D/wB1+htvWW9AogSBsuECoHfX1t1A72vWGmsRP9EwxsRXx
6ZYl66GSaC0=
=g5O5
-----END PGP SIGNATURE-----