OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Mon Nov 11 2002 - 10:56:30 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 11.11.02:
    http://www.idefense.com/advisory/11.11.02.txt
    Buffer Overflow in KDE resLISa
    November 11, 2002

    I. BACKGROUND

    KDE is a popular open source graphical desktop environment for Unix
    workstations. Its kdenetwork module contains a LAN browsing
    implementation known as LISa, which is used to identify CIFS and
    other servers on the local network. LISa consists of two main
    modules: "lisa", a network daemon, and "resLISa", a restricted
    version of the lisa daemon created by Alexander Neundorf. LISa's lisa
    module can be accessed in KDE using the URL type "lan://"; the
    resLISa module can be accessed using the URL type "rlan://".

    II. DESCRIPTION

    Local exploitation of a buffer overflow within the resLISa module
    could allow an attacker to gain elevated privileges. The overflow
    exists in the parsing of the LOGNAME environment variable; an overly
    long value will overwrite the instruction pointer, thereby allowing
    an attacker to seize control of the executable. The following is a
    snapshot of the exploit in action:

    farmerdebian30:~$ ./reslisa_bof
    farmerdebian30:~$ NetManager::prepare: listen failed
    sh-2.05a$ id
    uid=1000(farmer) gid=1000(farmer) groups=1000(farmer)

    While the attacker's privileges have not been escalated, the
    following shows the creation of a raw socket that is accessible by
    the attacker:

    farmerdebian30:~$ lsof | grep raw
    sh 1413 farmer 3u raw 1432 00000000:0001->00000000:0000 st=07

    farmerdebian30:~$ cd /proc/1413/fd/
    farmerdebian30:/proc/1413/fd$ ls -l
    total 0
    lrwx------ 1 farmer farmer 64 Oct 11 02:47 0 -> /dev/pts/3
    lrwx------ 1 farmer farmer 64 Oct 11 02:47 1 -> /dev/pts/3
    lrwx------ 1 farmer farmer 64 Oct 11 02:47 2 -> /dev/pts/3
    lrwx------ 1 farmer farmer 64 Oct 11 02:47 255 -> /dev/pts/3
    lrwx------ 1 farmer farmer 64 Oct 11 02:47 3 -> socket:[1432]
    l-wx------ 1 farmer farmer 64 Oct 11 02:47 4 -> /dev/null
    lrwx------ 1 farmer farmer 64 Oct 11 02:47 5 -> socket:[1433]

    III. ANALYSIS

    Local attackers can use access to a raw socket to sniff network
    traffic and generate malicious traffic (such as network scans, ARP
    redirects, DNS poisoning). This can lead to further compromise of the
    target system as well as other neighboring systems, depending on
    network trust relationships.

    IV. DETECTION

    This vulnerability exists in all versions of resLISa included within
    kdenetwork packages found in versions of KDE before 3.0.5. To
    determine if a specific implementation is vulnerable issue the
    following commands:
     
    $ LOGNAME=`perl -e 'print "A"x5000'`
    $ `which reslisa` -c .
     
    If the application exits, printing "signal caught: 11, exiting", then
    it is vulnerable. The above example was performed on resLISa version
    0.1.1 which is packaged and distributed with Debian 3.0r0.

    V. VENDOR FIX

    KDE 3.0.5 fixes this vulnerability, as well as a remotely exploitable
    buffer overflow found in LISa by Olaf Kirch of SuSE Linux AG. More
    information about the fix is available at
    http://www.kde.org/info/security. Individual Unix vendors should be
    providing updated KDE distributions on their appropriate download
    sites.

    Lisa 0.2.2, which also fixes these issues and compiles independent of
    KDE, can be downloaded at
    http://lisa-home.sourceforge.net/download.html.

    VI. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    assigned the identification number CAN-2002-1247 to this issue.

    VII. DISCLOSURE TIMELINE

    10/02/2002 Issue disclosed to iDEFENSE
    10/31/2002 Maintainer, Alexander Neundorf (neundorfkde.org),
                    and Linux Security list (vendor-seclst.de) notified
    10/31/2002 Response received from Alexander Neundorf
    11/01/2002 iDEFENSE clients notified
    11/11/2002 Coordinated public disclosure

    VIII. CREDIT

    Texonet (http://www.texonet.com) discovered this vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    - -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPcwdxUrdNYRLCswqEQLB3wCfauM7/75ebKpsA70fmHN2I1t2fGMAoNra
    anqP0AHYTOkh4K5MJnsLXywG
    =Dx3m
    - -----END PGP SIGNATURE-----

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPc/eA0rdNYRLCswqEQJeYQCfYNI5R0dKp2LIHZqNZGgkluz33yYAoIFD
    bd5X67odGkaMxcMiWgPIgQqP
    =7g+2
    -----END PGP SIGNATURE-----