[转载]Multiple Vulnerabilities in Konversation

信息来源：www.securiteam.com

Summary
Multiple vulnerabilities have been discovered in Konversation, an IRC client for KDE. One allows execution of arbitrary commands via the % expansion mechanism, another allows execution of arbitrary commands via the command line support scripts. The following two proof of concepts can be used to test your system for the mentioned vulnerability.

Credit:
The information has been provided by Wouter Coekaerts.
The original article can be found at: http://wouter.coekaerts.be/konversation.html

Details
Vulnerable Systems:
* Konversation version 0.15.0 and prior

Immune Systems:
* Konversation version 0.15.1 or newer

% Expanding
Konversation's Server::parseWildcards function contains a vulnerability that allows a remote attacker to utilize its expanding '%' feature to cause it to execute arbitrary code.

Example:
Utilizing the following channel name #%n/quit%n will cause a receiving an invitation to this channel to exit Konversation.

Included Perl Scripts Vulnerable to Shell Command Injection
Perl scripts included with Konversation execute a commands line similar to:
exec ("dcop $PORT Konversation say $SERVER \"$TARGET\" output");
Where the shell characters in $SERVER or $TARGET aren't escaped.

Example:
Therefore, joining a channel named #`kwrite` and executing the sample script (for example typing /uptime) will start kwrite.

Solution:
These problems are fixed in version 0.15.1, which was released 19/01/05 Individual patches can be downloaded at:
http://wouter.coekaerts.be/files/konversation-parse.diff
http://wouter.coekaerts.be/files/konversation-quickconnect.diff
http://wouter.coekaerts.be/files/konversation-scripts.diff