tech-security: [xforce@iss.net: ISSalert: ISS Security Advisory: KDE K-Mail File Creation Vulnerability]

Subject: [xforce@iss.net: ISSalert: ISS Security Advisory: KDE K-Mail File Creation Vulnerability]
To: None <tech-security@netbsd.org>
From: Mason Loring Bliss <mason@acheron.middleboro.ma.us>
List: tech-security
Date: 06/09/1999 16:35:55
----- Forwarded message from X-Force <xforce@iss.net> -----

Date: Wed, 9 Jun 1999 16:16:41 -0400 (EDT)
From: X-Force <xforce@iss.net>
To: alert@iss.net
Subject: ISSalert: ISS Security Advisory: KDE K-Mail File Creation Vulnerability


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Advisory
June 9, 1999

KDE K-Mail File Creation Vulnerability

Synopsis:

Internet Security Systems (ISS) X-Force has discovered a vulnerability in
KDE's K-Mail mail user agent software. KDE is a very popular window manager
available for most Unix platforms, and provides an easy-to-use interface and
a number of graphical front ends to common command-line Unix applications.
K-Mail contains a vulnerability that may allow local attackers to compromise
the UID of whoever is running K-Mail. The mail client creates insecure
temporary directories that are used to store MIME encoded files.

Affected Versions:

ISS X-Force has confirmed that this vulnerability exists on version 1.1 of
KDE window management software.

To determine if you are vulnerable, run the KDE Control Center application
and see if the version of KDE reported is 1.1 or earlier.

Description:

When K-Mail receives an e-mail with attachments, it creates a directory to
store the attachments. K-Mail does not verify that the directory already
exists, and is willing to follow symbolic links, allowing local attackers to
create files with the contents they choose in any directory writable by the
user executing K-Mail. If K-Mail is run as root, unauthorized superuser
access may be obtained.

Fix Information:

KDE has a patch that addresses this vulnerability. It can be retrieved at:

ftp://ftp.kde.org/pub/kde/security_patches/kmail-security-patch.diff

Additional Information:

Information in this advisory was obtained by the research of Brian Mitchell
bmitchell@iss.net. ISS X-Force would like to thank Stefan Taferner, Markus
Wuebben, and the entire KDE organization for their rapid response to this
vulnerability.

________

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is
hereby granted for the electronic redistribution of this Security Alert.
It is not to be edited in any way without express consent of the X-Force.
If you wish to reprint the whole or any part of this Alert Summary in any
other medium excluding electronic medium, please e-mail xforce@iss.net for
permission

About ISS
ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
and over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBN17KEjRfJiV99eG9AQFoKwQAr+KcaxMp3mfYo7THfT02+XS7FS6fiMzk
PX1y5fVSoArxqbDnjCkDlmCNrXgI+1Di+ppma3TYJdyemEZfylNeic3WHaCrIcg6
ntZ1Q4/EgnXmC0dPEK/wugGuO/WWLPKww7m1HYnt3sAwVTN5VOYQtdrBXR2XtBnY
1Tt8b5HVqCw=
=Qv9+
-----END PGP SIGNATURE-----

----- End forwarded message -----

-- 
    Mason Loring Bliss   mason@acheron.middleboro.ma.us   They also surf who
awake ? sleep : dream;   http://acheron.ne.mediaone.net   only stand on waves.