This is a multi-part message in MIME format. --------------9401E6CFB310F2BF2FDC75AC Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> </html> --------------9401E6CFB310F2BF2FDC75AC Content-Type: text/plain; charset=us-ascii; name="kvt.bug.english" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="kvt.bug.english" In the xterm there is a feature to change the title of the window You can change the title of the window sending one of the escape codes of the xterm. (linux: man console_codes) By Example: ESC]2;This is my Xterm^G This escape code changes the xterm's title to "This is my Xterm" Obviously You can do the same using the kvt (Kde Virtual Terminal). But the kvt has a buffer overflow. If the size of the new title of the window is big enough then the kvt will do a core dump. This bug follows the "reverse exploit" line, if some program sends this escape code to the kvt. For Example, When someone connects to any ftp server and the server sends the Welcome Message, It will be easy to exploit this bug changing the Welcome Message (in the .message file) to one with this escape code and to cause a buffer overflow. Another example where someone can cause a buffer overflow in your machine is simply doing "cat hosts" where hosts may be a file that you received by mail containing the "change window escape code". This bug shows some of the kvt's security problems being exploited via a "reverse exploit" or a exploit sent directly to your terminal (if the attacker can write to your kvt) If this bug is exploited, then the attacker can obtain the privileges of the kvt's owner and execute some arbitrary code as this user. This bug was reported to the kde team by Larry Granroth in January. (http://bugs.kde.org/db/33/332.html) The new kde's version doesn't have this bug in the kconsole Kvt was replaced totally by kconsole. But the RedHat 6.0 installed with KDE has this bug. Cheers. Sebastian Wain swain@core-sdi.com --------------9401E6CFB310F2BF2FDC75AC-- --- For a personal reply use swain@core-sdi.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:52 PDT