Kvt bug

From: Sebastian Wain (core.lists.bugtraq@CORE-SDI.COM)
Date: Wed Sep 29 1999 - 12:01:03 PDT

Next message: Troy A. Bollinger: "Re: Fw: Remote bufferoverflow exploit for ftpd from AIX 4.3.2"

Previous message: Ben Greenbaum: "Re: IE 5.0 security vulnerability - reading local (and from any"
Next in thread: Chris Seawood: "Re: Kvt bug"
Reply: Chris Seawood: "Re: Kvt bug"
Reply: Pioppo: "Re: Kvt bug"
Reply: Brock Tellier: "Re: Kvt bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a multi-part message in MIME format.
--------------9401E6CFB310F2BF2FDC75AC
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
&nbsp;</html>

--------------9401E6CFB310F2BF2FDC75AC
Content-Type: text/plain; charset=us-ascii;
 name="kvt.bug.english"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="kvt.bug.english"

In the xterm there is a feature to change the title of the window
You can change the title of the window sending one of the escape codes of the
xterm.
(linux: man console_codes)

By Example:

ESC]2;This is my Xterm^G

This escape code changes the xterm's title to "This is my Xterm"

Obviously You can do the same using the kvt (Kde Virtual Terminal).
But the kvt has a buffer overflow. If the size of the new title of the
window is big enough then the kvt will do a core dump.

This bug follows the "reverse exploit" line, if some program sends
this escape code to the kvt.
For Example, When someone connects to any ftp server and the server sends
the Welcome Message, It will be easy to exploit this bug changing the
Welcome Message (in the .message file) to one with this escape code and
to cause a buffer overflow.

Another example where someone can cause a buffer overflow in your machine is
simply doing "cat hosts" where hosts may be a file that you received
by mail containing the "change window escape code".

This bug shows some of the kvt's security problems being exploited via
a "reverse exploit" or a exploit sent directly to your terminal
(if the attacker can write to your kvt)

If this bug is exploited, then the attacker can obtain the
privileges of the kvt's owner and execute some arbitrary code as this
user.

This bug was reported to the kde team by Larry Granroth in January.
(http://bugs.kde.org/db/33/332.html)

The new kde's version doesn't have this bug in the
kconsole
Kvt was replaced totally by kconsole.
But the RedHat 6.0 installed with KDE has this bug.

Cheers.

Sebastian Wain
swain@core-sdi.com

--------------9401E6CFB310F2BF2FDC75AC--


--- For a personal reply use swain@core-sdi.com

Next message: Troy A. Bollinger: "Re: Fw: Remote bufferoverflow exploit for ftpd from AIX 4.3.2"
Previous message: Ben Greenbaum: "Re: IE 5.0 security vulnerability - reading local (and from any"
Next in thread: Chris Seawood: "Re: Kvt bug"
Reply: Chris Seawood: "Re: Kvt bug"
Reply: Pioppo: "Re: Kvt bug"
Reply: Brock Tellier: "Re: Kvt bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:05:52 PDT