Vulnerabilities > CVE-2007-1799 - Remote Directory Traversal Variant vulnerability in Ktorrent 2.1.1/2.1.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Directory traversal vulnerability in torrent.cpp in KTorrent before 2.1.3 only checks for the ".." string, which allows remote attackers to overwrite arbitrary files via modified ".." sequences in a torrent filename, as demonstrated by "../" sequences, due to an incomplete fix for CVE-2007-1384.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_KTORRENT-3049.NASL description Ktorrent insufficiently validated the target file name. A malicious Server could therefore overwrite arbitary files of the user (CVE-2007-1384 / CVE-2007-1799). Another bug could be exploited to crash Ktorrent. (CVE-2007-1385) last seen 2020-06-01 modified 2020-06-02 plugin id 29498 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29498 title SuSE 10 Security Update : ktorrent (ZYPP Patch Number 3049) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(29498); script_version ("1.13"); script_cvs_date("Date: 2019/10/25 13:36:30"); script_cve_id("CVE-2007-1384", "CVE-2007-1385", "CVE-2007-1799"); script_name(english:"SuSE 10 Security Update : ktorrent (ZYPP Patch Number 3049)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Ktorrent insufficiently validated the target file name. A malicious Server could therefore overwrite arbitary files of the user (CVE-2007-1384 / CVE-2007-1799). Another bug could be exploited to crash Ktorrent. (CVE-2007-1385)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-1384.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-1385.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2007-1799.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 3049."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:0, reference:"ktorrent-1.2-20.8")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-095.NASL description A directory traversal vulnerability was found in KTorrent prior to 2.1.2, due to an incomplete fix for a prior directory traversal vulnerability that was corrected in version 2.1.2. Previously, KTorrent would only check for the string .., which could permit strings such as ../. Updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 37741 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37741 title Mandrake Linux Security Advisory : ktorrent (MDKSA-2007:095) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2007:095. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(37741); script_version ("1.11"); script_cvs_date("Date: 2019/08/02 13:32:49"); script_cve_id("CVE-2007-1799"); script_xref(name:"MDKSA", value:"2007:095"); script_name(english:"Mandrake Linux Security Advisory : ktorrent (MDKSA-2007:095)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A directory traversal vulnerability was found in KTorrent prior to 2.1.2, due to an incomplete fix for a prior directory traversal vulnerability that was corrected in version 2.1.2. Previously, KTorrent would only check for the string .., which could permit strings such as ../. Updated packages have been patched to correct this issue." ); script_set_attribute( attribute:"solution", value: "Update the affected ktorrent, lib64ktorrent2.1.2 and / or libktorrent2.1.2 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ktorrent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64ktorrent2.1.2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libktorrent2.1.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007.1"); script_set_attribute(attribute:"patch_publication_date", value:"2007/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2007.1", reference:"ktorrent-2.1.2-2.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"x86_64", reference:"lib64ktorrent2.1.2-2.1.2-2.1mdv2007.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2007.1", cpu:"i386", reference:"libktorrent2.1.2-2.1.2-2.1mdv2007.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-436-1.NASL description Bryan Burns of Juniper Networks discovered that KTorrent did not correctly validate the destination file paths nor the HAVE statements sent by torrent peers. A malicious remote peer could send specially crafted messages to overwrite files or execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28031 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28031 title Ubuntu 6.06 LTS / 6.10 : ktorrent vulnerabilities (USN-436-1) NASL family SuSE Local Security Checks NASL id SUSE_KTORRENT-3057.NASL description Ktorrent insufficiently validated the target file name. A malicious Server could therefore overwrite arbitary files of the user (CVE-2007-1384,CVE-2007-1799). Another bug could be exploited to crash Ktorrent (CVE-2007-1385). last seen 2020-06-01 modified 2020-06-02 plugin id 27314 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27314 title openSUSE 10 Security Update : ktorrent (ktorrent-3057) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1373.NASL description It was discovered that ktorrent, a BitTorrent client for KDE, was vulnerable to a directory traversal bug which potentially allowed remote users to overwrite arbitrary files. last seen 2020-06-01 modified 2020-06-02 plugin id 26034 published 2007-09-14 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/26034 title Debian DSA-1373-2 : ktorrent - directory traversal NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-436-2.NASL description USN-436-1 fixed a vulnerability in KTorrent. The original fix for path traversal was incomplete, allowing for alternate vectors of attack. This update solves the problem. Bryan Burns of Juniper Networks discovered that KTorrent did not correctly validate the destination file paths nor the HAVE statements sent by torrent peers. A malicious remote peer could send specially crafted messages to overwrite files or execute arbitrary code with user privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28032 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28032 title Ubuntu 6.06 LTS / 6.10 / 7.04 : ktorrent vulnerability (USN-436-2) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200705-01.NASL description The remote host is affected by the vulnerability described in GLSA-200705-01 (Ktorrent: Multiple vulnerabilities) Bryan Burns of Juniper Networks discovered a vulnerability in chunkcounter.cpp when processing large or negative idx values, and a directory traversal vulnerability in torrent.cpp. Impact : A remote attacker could entice a user to download a specially crafted torrent file, possibly resulting in the remote execution of arbitrary code with the privileges of the user running Ktorrent. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25131 published 2007-05-02 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25131 title GLSA-200705-01 : Ktorrent: Multiple vulnerabilities
References
- http://bugs.kde.org/show_bug.cgi?id=143637
- http://secunia.com/advisories/24995
- http://secunia.com/advisories/25097
- http://secunia.com/advisories/26773
- http://security.gentoo.org/glsa/glsa-200705-01.xml
- http://www.debian.org/security/2007/dsa-1373
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:095
- http://www.novell.com/linux/security/advisories/2007_007_suse.html
- http://www.securityfocus.com/bid/23745
- http://www.ubuntu.com/usn/usn-436-2
- https://bugs.gentoo.org/show_bug.cgi?id=170303
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33566