The KDE browser Konqueror enables a user the ability to easily browse SMB shares through the GUI. In addition, the process can be automated by using an SMB shortcut.
A problem in how KDE handles shortcuts to SMB shares allows creation of a share with login credential in plaintext.
Credit:
The information has been provided by Daniel Fabian.
Note: Although KDE 3.3 and 3.4 are not vulnerable, the vendor has confirmed the existence of a potential problem related to the one described in this advisory.
Opening the URL "smb://" in Konquerer allows KDE users to browse the local network for SMB shares. Upon selecting a computer, the user has to enter a password, if access to that computer is restricted. While the URL of the SMB share as shown Konqueror's address bar does not reveal the password this can be easily bypassed by copying a shortcut to a certain share to the desktop.
The created desktop shortcut icon will be given a name with the following scheme: smb://domain\username:password@server\sharename
And the password can be read since it is shown in plaintext.
Disclosure Timeline:
06/10/2004 - Discovery of the vulnerability
10/10/2004 - Initial vendor reply
10/11/2004 - Planed coordinated disclosure
29/11/2004 - Final disclosure
