Vulnerabilities > CVE-2007-1385 - Remote vulnerability in KTorrent

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
joris-guisson
nessus
NVD
Published: 2007-03-10
Updated: 2011-03-08

Summary

chunkcounter.cpp in KTorrent before 2.1.2 allows remote attackers to cause a denial of service (crash) and heap corruption via a negative or large idx value. This vulnerability has been addressed in the following product update: http://ktorrent.org/index.php?page=downloads

Vulnerable Configurations

Part Description Count
Application
Joris_Guisson
1

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_KTORRENT-3049.NASL
    descriptionKtorrent insufficiently validated the target file name. A malicious Server could therefore overwrite arbitary files of the user (CVE-2007-1384 / CVE-2007-1799). Another bug could be exploited to crash Ktorrent. (CVE-2007-1385)
    last seen2020-06-01
    modified2020-06-02
    plugin id29498
    published2007-12-13
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/29498
    titleSuSE 10 Security Update : ktorrent (ZYPP Patch Number 3049)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The text description of this plugin is (C) Novell, Inc.
#

include("compat.inc");

if (description)
{
  script_id(29498);
  script_version ("1.13");
  script_cvs_date("Date: 2019/10/25 13:36:30");

  script_cve_id("CVE-2007-1384", "CVE-2007-1385", "CVE-2007-1799");

  script_name(english:"SuSE 10 Security Update : ktorrent (ZYPP Patch Number 3049)");
  script_summary(english:"Checks rpm output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 10 host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Ktorrent insufficiently validated the target file name. A malicious
Server could therefore overwrite arbitary files of the user
(CVE-2007-1384 / CVE-2007-1799). Another bug could be exploited to
crash Ktorrent. (CVE-2007-1385)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2007-1384.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2007-1385.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2007-1799.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 3049.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2007/04/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");


flag = 0;
if (rpm_check(release:"SLED10", sp:0, reference:"ktorrent-1.2-20.8")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else exit(0, "The host is not affected.");
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2007-093-02.NASL
    descriptionNew ktorrent packages are available for Slackware 11.0 and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24917
    published2007-04-05
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24917
    titleSlackware 11.0 / current : ktorrent (SSA:2007-093-02)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-436-1.NASL
    descriptionBryan Burns of Juniper Networks discovered that KTorrent did not correctly validate the destination file paths nor the HAVE statements sent by torrent peers. A malicious remote peer could send specially crafted messages to overwrite files or execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id28031
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/28031
    titleUbuntu 6.06 LTS / 6.10 : ktorrent vulnerabilities (USN-436-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_KTORRENT-3057.NASL
    descriptionKtorrent insufficiently validated the target file name. A malicious Server could therefore overwrite arbitary files of the user (CVE-2007-1384,CVE-2007-1799). Another bug could be exploited to crash Ktorrent (CVE-2007-1385).
    last seen2020-06-01
    modified2020-06-02
    plugin id27314
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27314
    titleopenSUSE 10 Security Update : ktorrent (ktorrent-3057)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_73F53712D02811DB8C070211D85F11FB.NASL
    descriptionTwo problems have been found in KTorrent : - KTorrent does not properly sanitize file names to filter out
    last seen2020-06-01
    modified2020-06-02
    plugin id24797
    published2007-03-12
    reporterThis script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/24797
    titleFreeBSD : ktorrent -- multiple vulnerabilities (73f53712-d028-11db-8c07-0211d85f11fb)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200705-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200705-01 (Ktorrent: Multiple vulnerabilities) Bryan Burns of Juniper Networks discovered a vulnerability in chunkcounter.cpp when processing large or negative idx values, and a directory traversal vulnerability in torrent.cpp. Impact : A remote attacker could entice a user to download a specially crafted torrent file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running Ktorrent. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id25131
    published2007-05-02
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/25131
    titleGLSA-200705-01 : Ktorrent: Multiple vulnerabilities

References