kio: Information Leak when accessing https when using a malicious PAC file

Bug #1668871 reported by wens on 2017-03-01
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde4libs (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned
kio (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: kio: Information Leak when accessing https when using a malicious PAC file
Risk Rating: Medium
CVE: TBC
Versions: kio < 5.32, kdelibs < 4.14.30
Date: 28 February 2017

Overview
========
Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings
allow “Detect Proxy Configuration Automatically”.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.

Solution
========
Update to kio >= 5.32 and kdelibs >= 4.14.30 (when released)

Or apply the following patches:
    kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
kdelibs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559

Credits
=======
Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
and Amit Klein.

CVE References

wens (alex-volegov) on 2017-03-01
information type: Private Security → Public Security
wens (alex-volegov) on 2017-03-01
tags: added: kubuntu
Rik Mills (rikmills) on 2017-03-01
no longer affects: kio (Ubuntu Trusty)
visred (visred) wrote :

Added kio-yakkety-debdiff.patch

Changed in kde4libs (Ubuntu Yakkety):
status: New → Confirmed
Changed in kio (Ubuntu Yakkety):
status: New → Confirmed
visred (visred) wrote :

Added kde4libs-yakkety-debdiff.patch

The attachment "kio-yakkety-debdiff.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Marc Deslauriers (mdeslaur) wrote :

Thanks for the debdiffs in comment #1 and #2. Packages are building now with a slight changelog whitespace change and will be released as security updates.

visred (visred) wrote :
Marc Deslauriers (mdeslaur) wrote :

There was no build log, probably a launchpad failure. I've mashed the retry button.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kio - 5.26.0-0ubuntu2.1

---------------
kio (5.26.0-0ubuntu2.1) yakkety-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
      - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
      - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Wed, 01 Mar 2017 14:28:14 +0530

Changed in kio (Ubuntu Yakkety):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.14.22-0ubuntu2.1

---------------
kde4libs (4:4.14.22-0ubuntu2.1) yakkety-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
      - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
      - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Wed, 01 Mar 2017 14:38:27 +0530

Changed in kde4libs (Ubuntu Yakkety):
status: Confirmed → Fix Released
visred (visred) wrote :

debdiff for kio in xenial is attached.

visred (visred) wrote :

debdiff for kde4libs in xenial is attached.

Changed in kio (Ubuntu Xenial):
status: New → Confirmed
Changed in kde4libs (Ubuntu Xenial):
status: New → Confirmed
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiffs in comments #9 and #10. Packages are building with a changelog whitespace and pocket change and will be released as security updates. Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.14.16-0ubuntu3.1

---------------
kde4libs (4:4.14.16-0ubuntu3.1) xenial-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
    - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
    - Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
      and Amit Klein for reporting this issue, Albert Astals Cid for fixing
      this issue.
    - No CVE number.
    - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Thu, 02 Mar 2017 21:43:06 +0530

Changed in kde4libs (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kio - 5.18.0-0ubuntu1.1

---------------
kio (5.18.0-0ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
    - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
    - Thanks to Safebreach Labs researchers Itzik Kotler, Yonatan Fridburg
      and Amit Klein for reporting this issue, Albert Astals Cid for fixing
      this issue.
    - No CVE number.
    - fixes (LP: #1668871)

 -- <email address hidden> (v.naini) Thu, 02 Mar 2017 21:17:20 +0530

Changed in kio (Ubuntu Xenial):
status: Confirmed → Fix Released
visred (visred) on 2017-03-02
Changed in kde4libs (Ubuntu Zesty):
status: New → Confirmed
Changed in kio (Ubuntu Zesty):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kio - 5.31.0-0ubuntu2

---------------
kio (5.31.0-0ubuntu2) zesty; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
      - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
      - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- Rik Mills <email address hidden> Thu, 02 Mar 2017 21:55:03 +0000

Changed in kio (Ubuntu Zesty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.14.28-0ubuntu3

---------------
kde4libs (4:4.14.28-0ubuntu3) zesty; urgency=medium

  * SECURITY UPDATE:Information Leak when accessing https when using a
    malicious PAC file
     - debian/patches/kio-sanitize-url-to-FindProxyForURL.patch
     - Thanks to Safebreach Labs researchers Safebreach Labs researchers
        Itzik Kotler, Yonatan Fridburg and Amit Klein for reporting this
        issue, Albert Astals Cid for fixing this issue.
      - No CVE number.
      - fixes (LP: #1668871)

 -- Rik Mills <email address hidden> Sat, 04 Mar 2017 10:07:23 +0000

Changed in kde4libs (Ubuntu Zesty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde4libs - 4:4.13.3-0ubuntu0.4

---------------
kde4libs (4:4.13.3-0ubuntu0.4) trusty-security; urgency=medium

  * SECURITY UPDATE: information leak via crafted PAC file (LP: #1668871)
    - debian/patches/CVE-2017-6410.patch: sanitize URLs in
      kio/misc/kpac/script.cpp.
    - CVE-2017-6410

 -- Marc Deslauriers <email address hidden> Wed, 08 Mar 2017 10:25:45 -0500

Changed in kde4libs (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers