From xforce@iss.net Thu Jun 10 04:57:34 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Wed, 9 Jun 1999 16:16:41 -0400 (EDT) Subject: ISSalert: ISS Security Advisory: KDE K-Mail File Creation Vulnerability TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory June 9, 1999 KDE K-Mail File Creation Vulnerability Synopsis: Internet Security Systems (ISS) X-Force has discovered a vulnerability in KDE's K-Mail mail user agent software. KDE is a very popular window manager available for most Unix platforms, and provides an easy-to-use interface and a number of graphical front ends to common command-line Unix applications. K-Mail contains a vulnerability that may allow local attackers to compromise the UID of whoever is running K-Mail. The mail client creates insecure temporary directories that are used to store MIME encoded files. Affected Versions: ISS X-Force has confirmed that this vulnerability exists on version 1.1 of KDE window management software. To determine if you are vulnerable, run the KDE Control Center application and see if the version of KDE reported is 1.1 or earlier. Description: When K-Mail receives an e-mail with attachments, it creates a directory to store the attachments. K-Mail does not verify that the directory already exists, and is willing to follow symbolic links, allowing local attackers to create files with the contents they choose in any directory writable by the user executing K-Mail. If K-Mail is run as root, unauthorized superuser access may be obtained. Fix Information: KDE has a patch that addresses this vulnerability. It can be retrieved at: ftp://ftp.kde.org/pub/kde/security_patches/kmail-security-patch.diff Additional Information: Information in this advisory was obtained by the research of Brian Mitchell bmitchell@iss.net. ISS X-Force would like to thank Stefan Taferner, Markus Wuebben, and the entire KDE organization for their rapid response to this vulnerability. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the electronic redistribution of this Security Alert. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission About ISS ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN17KEjRfJiV99eG9AQFoKwQAr+KcaxMp3mfYo7THfT02+XS7FS6fiMzk PX1y5fVSoArxqbDnjCkDlmCNrXgI+1Di+ppma3TYJdyemEZfylNeic3WHaCrIcg6 ntZ1Q4/EgnXmC0dPEK/wugGuO/WWLPKww7m1HYnt3sAwVTN5VOYQtdrBXR2XtBnY 1Tt8b5HVqCw= =Qv9+ -----END PGP SIGNATURE-----