Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Password Disclosure for SMB Shares in KDE's Konqueror

from [Daniel Fabian] Network Security [Permanent Link]
Subject: [Full-Disclosure] Password Disclosure for SMB Shares in KDE's Konqueror
Date: Mon, 29 Nov 2004 09:22:44 +0100 
-------------------------------------------------------------------------
|      Password Disclosure for SMB Shares in KDE's Konqueror            |
-------------------------------------------------------------------------

Date: Nov. 29, 2004
Author: Daniel Fabian
Product: KDE, Konquerer
Vendor: KDE e. V. (http://www.kde.org)
Vendor-Status: vendor contacted
Vendor-Patches: none available so far
Attack Vector: Local

~~~~~~~~
Synopsis
~~~~~~~~~~~~~~~~~~~~~~~~
The KDE program Konquerer allows for browsing SMB shares comfortably
through the GUI. By placing a shortcut to an SMB share on KDE's
desktop, an attacker can disclose his victim's password in
plaintext.


~~~~~~~~
Affected Versions
~~~~~~~~~~~~~~~~~~~~~~~~
The problem has been successfully reproduced with KDE 3.2.1 on a
standard SuSE 9.1 distribution. I have not been able to reproduce
the issue on a KDE 3.3.0, however the developers of KDE claimed
that there might be a related issue in both KDE 3.3 as well as the
upcoming KDE 3.4.


~~~~~~~~
Vendor Status
~~~~~~~~~~~~~~~~~~~~~~~~
The vendor has been notified and was very cooperative. We set a
coordinated disclosure date to Nov. 10th. However Nov. 10th passed,
without a patch available. My mail for a new date has gone
unanswered for more than two weeks now, so I suppose it is ok to
release this advisory, very much so since this is not an issue that
can be widely exploited anyway.


~~~~~~~~
Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~
Opening the URL "smb:/" in Konquerer allows KDE users to browse the
local network for SMB shares. Upon selecting a computer, the user
has to enter a password, if access to that computer is resticted.
While the URL of the SMB share correctly does not show the password
in Konqueror's address bar, this can be easily bypassed by copying
a shortcut to a certain share to the desktop.

The created desktop icon will be given a name (and address) following
this scheme:

smb://domain\username:password@server\sharename

The password can be read in plaintext by an attacker. So while a
colleague is getting some coffee or having a short nap at
his desk, it is most easy to get the password of his open
SMB shares.


~~~~~~~~
Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
Oct. 06: Discovery of the vulnerability
Oct. 10: Initial vendor reply
Nov. 10: Planed coordinated disclosure
Nov. 29: Final disclosure


~~~~~~~~
Counter Measures
~~~~~~~~~~~~~~~~~~~~~~~~
Until a patch is available, just lock your computer every time
you leave it (should be done regardless of this issue).


EOF Daniel Fabian / @2004
d.fabian at sec-consult dot com

~~~~~~~~
Contact
~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

Buero Wien
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
http://www.sec-consult.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Password Disclosure for SMB Shares in KDE's Konqueror, Daniel Fabian <=
Previous by Date:  Re: [SPAM] Re: [Full-Disclosure] To anybody who's offended by my disclosure policy-GET THIS GUYS, Jeff Price
Next by Date:  Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception, exon
Previous by Thread:  [Full-Disclosure] RE: Message Notify, Security
Next by Thread:  [Full-Disclosure] Is www.sco.com hacked?, Rossen Naydenov
Indexes:  [Date] [Thread] [Top] [All Lists]