Bug 95825

Summary: kio_ftp can be tricked into talking to an SMTP server
Product: [Unmaintained] kio Reporter: Thiago Macieira <thiago>
Component: ftpAssignee: David Faure <faure>
Status: RESOLVED FIXED    
Severity: critical    
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: First patch

Description Thiago Macieira 2004-12-26 00:19:09 UTC 
Version:           desconhecido (using KDE 3.3.90 (alpha1, CVS >= 20041206), compiled sources)
Compiler:          gcc version 3.4.3
OS:                Linux (i686) release 2.6.9

kio_ftp is vulnerable to an exploit that would cause Konqueror to send email without user interaction. It could be used to flood someone's mailbox.

Reported here:
http://lists.netsys.com/pipermail/full-disclosure/2004-December/030229.html

Debian bug 287201:
http://bugs.debian.org/287201

Also Ubuntu bug 4989:
https://bugzilla.ubuntu.com/show_bug.cgi?id=4989

This bug has been confirmed for HEAD 20041209 and probably affects older versions as well.

A patch is being produced.
Comment 1 Thiago Macieira 2004-12-26 00:39:08 UTC 
Created attachment 8814 [details]
First patch

First patch fixing the problem on HEAD, based on Debian's suggestion.
Comment 2 Thiago Macieira 2004-12-26 00:44:36 UTC 
CVS commit by thiago: 

Fixing exploit. Will close bug report when backported.

CCBUG:95825
CCMAIL:security@kde.org


  M +8 -0      ftp.cc   1.216


--- kdelibs/kioslave/ftp/ftp.cc  #1.215:1.216
@@ -752,4 +752,12 @@ bool Ftp::ftpSendCmd( const QCString& cm
   assert(m_control != NULL);    // must have control connection socket
 
+  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
+  {
+    kdWarning(7102) << "Invalid command received (contains CR or LF):"
+                    << cmd.data() << endl;
+    error( ERR_UNSUPPORTED_ACTION, m_host );
+    return false;
+  }
+
   // Don't print out the password...
   bool isPassCmd = (cmd.left(4).lower() == "pass");
Comment 3 Thiago Macieira 2004-12-26 01:29:58 UTC 
CVS commit by thiago: 

(Backport 1.215:1.216) Fixing exploit bug.

CCBUG:95825


  M +8 -0      ftp.cc   1.213.2.2


--- kdelibs/kioslave/ftp/ftp.cc  #1.213.2.1:1.213.2.2
@@ -752,4 +752,12 @@ bool Ftp::ftpSendCmd( const QCString& cm
   assert(m_control != NULL);    // must have control connection socket
 
+  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
+  {
+    kdWarning(7102) << "Invalid command received (contains CR or LF): "
+                    << cmd.data() << endl;
+    error( ERR_UNSUPPORTED_ACTION, m_host );
+    return false;
+  }
+
   // Don't print out the password...
   bool isPassCmd = (cmd.left(4).lower() == "pass");
Comment 4 Thiago Macieira 2004-12-26 01:31:35 UTC 
CVS commit by thiago: 

(Backport 1.215:1.216) Fixing exploit bug.

BUG:95825


  M +9 -1      ftp.cc   1.192.2.4


--- kdelibs/kioslave/ftp/ftp.cc  #1.192.2.3:1.192.2.4
@@ -653,4 +653,12 @@ bool Ftp::ftpSendCmd( const QCString& cm
   assert( sControl > 0 );
 
+  if ( cmd.find( '\r' ) != -1 || cmd.find( '\n' ) != -1)
+  {
+    kdWarning(7102) << "Invalid command received (contains CR or LF): "
+                    << cmd.data() << endl;
+    error( ERR_UNSUPPORTED_ACTION, m_host );
+    return false;
+  }
+
   QCString buf = cmd;
   buf += "\r\n";