xorl %eax, %eax

CVE-2011-1586: KDE KGet Remote Directory Traversal

leave a comment »

KDE KGet 4.4, 4.5 and 4.6 up to 4.6.2 are vulnerable to remote directory traversal. The issue was reported by Felix Geyer and you can find here the complete bug fix timeline.

The buggy C++ code resides kdenetwork/kget/ui/metalinkcreator/metalinker.cpp file which is shown below.

bool KGetMetalink::File::isValidNameAttribute() const
{
    if (name.isEmpty()) {
        kError(5001) << "Name attribute of Metalink::File is empty.";
        return false;
    }

    if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
        kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;
        return false;
    }

    return true;
}

As you can see from the given code, the validation routine for “name” attribute of the “file” metalink element checks that the provided name is not empty and does not contain directory traversal characters. However, this does not check for names which are directories (meaning they end with ‘/’ character) as well as names containing single dots (“.”), double (“..”) and starting at the root directory.

-    if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
+    if (name.endsWith('/')) {
+        kError(5001) << "Name attribute of Metalink::File does not contain a file name:" << name;
+        return false;
+    }
+
+    const QStringList components = name.split('/');
+    if (name.startsWith('/') || components.contains("..") || components.contains(".")) {
         kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;

Due to these missing checks, a user could construct a malicious metalink file that will lead in downloading a file in a different directory than the expected one.

Written by xorl

May 14, 2011 at 21:43

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s