Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-Disclosure] Password Disclosure for SMB Shares in KDE's Konqueror

From: Daniel Fabian (listfabiand.net)
Date: Mon Nov 29 2004 - 02:22:44 CST

| Password Disclosure for SMB Shares in KDE's Konqueror |

Date: Nov. 29, 2004
Author: Daniel Fabian
Product: KDE, Konquerer
Vendor: KDE e. V. (http://www.kde.org)
Vendor-Status: vendor contacted
Vendor-Patches: none available so far
Attack Vector: Local

The KDE program Konquerer allows for browsing SMB shares comfortably
through the GUI. By placing a shortcut to an SMB share on KDE's
desktop, an attacker can disclose his victim's password in

Affected Versions
The problem has been successfully reproduced with KDE 3.2.1 on a
standard SuSE 9.1 distribution. I have not been able to reproduce
the issue on a KDE 3.3.0, however the developers of KDE claimed
that there might be a related issue in both KDE 3.3 as well as the
upcoming KDE 3.4.

Vendor Status
The vendor has been notified and was very cooperative. We set a
coordinated disclosure date to Nov. 10th. However Nov. 10th passed,
without a patch available. My mail for a new date has gone
unanswered for more than two weeks now, so I suppose it is ok to
release this advisory, very much so since this is not an issue that
can be widely exploited anyway.

Opening the URL "smb:/" in Konquerer allows KDE users to browse the
local network for SMB shares. Upon selecting a computer, the user
has to enter a password, if access to that computer is resticted.
While the URL of the SMB share correctly does not show the password
in Konqueror's address bar, this can be easily bypassed by copying
a shortcut to a certain share to the desktop.

The created desktop icon will be given a name (and address) following
this scheme:


The password can be read in plaintext by an attacker. So while a
colleague is getting some coffee or having a short nap at
his desk, it is most easy to get the password of his open
SMB shares.

Oct. 06: Discovery of the vulnerability
Oct. 10: Initial vendor reply
Nov. 10: Planed coordinated disclosure
Nov. 29: Final disclosure

Counter Measures
Until a patch is available, just lock your computer every time
you leave it (should be done regardless of this issue).

EOF Daniel Fabian / 2004
d.fabian at sec-consult dot com


SEC Consult Unternehmensberatung GmbH

Buero Wien
Blindengasse 3
A-1080 Wien

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html