Published:
14 November 2002
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.634 -- KDE Security Advisory
resLISa / LISa Vulnerabilities
14 November 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: LISa
resLISa
Vendor: KDE
Impact: Root Compromise
Access Required: Remote
Comment: The PGP signature on the original advisory could not be
verified, however the original document can be found at
http://www.kde.org/info/security/advisory-20021111-2.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
KDE Security Advisory: resLISa / LISa Vulnerabilities
Original Release Date: 2002-11-11
URL: http://www.kde.org/info/security/advisory-20021111-2.txt
0. References
iDEFENSE Security Advisory 11.11.02
(http://www.idefense.com/advisory/11.11.02.txt).
1. Systems affected:
All KDE 2 releases from KDE 2.1 and all KDE 3 releases (up to
3.0.4 and 3.1rc3).
2. Overview:
The kdenetwork module of KDE contains a LAN browsing implementation
known as LISa, which is used to identify CIFS and other servers on
the local network. LISa consists of two main modules, "lisa", a
network daemon, and "reslisa", a restricted version of the lisa
daemon. LISa can be accessed in KDE using the URL type "lan://",
and resLISa using the URL type "rlan://".
LISA will obtain information on the local network by looking for an
existing LISA server on other local hosts, and if there is one,
retrieves the list of servers from it. If there is no other LISA
server, it will scan the network and create as server list.
The browser daemon 'lisa' is typically configured to start as a
system service at system boot time.
resLISa is a restricted version of LISa which uses a configuration
file to identify hosts on the network rather than scanning for
them. resLISa is typically installed SUID root and started by a user
to browse the confitured network servers. However, it does not
directly communicate with servers on the network.
3. Impact:
The resLISa daemon contains a buffer overflow vulnerability which
potentially enables any local user to obtain access to a raw socket
if 'reslisa' is installed SUID root. This vulnerability was
discovered by the iDEFENSE security team and Texonet.
The lisa daemon contains a buffer overflow vulnerability which
potentially enables any local user, as well any any remote attacker
on the LAN who is able to gain control of the LISa port (7741 by
default), to obtain root privileges.
In addition, a remote attacker potentially may be able to gain
access to a victim's account by using an "lan://" URL in an HTML
page or via another KDE application. These vulnerabilities were
discovered by Olaf Kirch at SuSE Linux AG.
4. Solution:
The vulnerabilities have been fixed in KDE 3.0.5 and patches
are available for those using KDE 3.0.4. We recommend either
upgrading to KDE 3.0.5, applying the patches or disabling the
resLISa and LISa services.
The resLISa vulnerability can be disabled by unsetting the SUID bit
on resLISa. Typically this is accomplished by executing the command:
chmod a-s `which reslisa`
Note that this will prevent users from using the resLISa service.
The first LISa vulnerability can be disabled by disabling the LISa
service. Typically this is accomplished by executing the commands:
/etc/init.d/lisa stop
rm /etc/init.d/lisa `which lisa`
or
rpm -e kdenetwork-lisa
However, the appropriate commands depend on your vendor's OS and how
the various components of kdenetwork were packaged.
The second LISa vulnerability can be disabled by deleting any
lan.protocol and rlan.protocol files on the system and restarting
the active KDE sessions. The files are usually installed in
[kdeprefix]/share/services/lan.protocol and
[kdeprefix]/share/services/rlan.protocol ([kdeprefix] is typically
/opt/kde3 or /usr), but copies may exist elsewhere, such as in
users' [kdehome]/share/services directory ([kdehome] is typically
the .kde directory in a user's home directory).
kdenetwork-3.0.5 can be downloaded from
http://download.kde.org/stable/3.0.5/src/ :
504032bceeef0dfa9ff02aed0faf795d kdenetwork-3.0.5.tar.bz2
Some vendors are building binary packages of kdenetwork-3.0.5.
Please check your vendors website and the KDE 3.0.5 information page
(http://ww.kde.org/info/3.0.5.html) periodically for availability.
5. Patch:
Patches are available for KDE 3.0.4 from the KDE FTP server
(ftp://ftp.kde.org/pub/kde/security_patches/):
5b2334c689ae9412475f6b653a107401 post-3.0.4-kdenetwork-lanbrowsing.diff
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBPdOO8Ch9+71yA2DNAQGq5wP/QQoWYPJ8l1bJZGRqlAXhTyszw8n/v0R/
UDrBdsWsTWMAdFaNFSwcFkqOGDyvzjgNdKDUbiPUuU7y2Mn2JbuWlzYtno3h9zRk
qiBN+QkhtES8iksbHR0uT8J1gQ6eqMicnrO7lEOEQPz9aCnaxhN8+aiWALFxfRGa
VD7c3M5VlE0=
=9xfy
-----END PGP SIGNATURE-----