Users login

Create an account »


Users login

Home » Hacking News » iDEFENSE Security Advisory 11.11.02: Buffer Overflow in KDE resLISa

iDEFENSE Security Advisory 11.11.02: Buffer Overflow in KDE resLISa

by Nikola Strahija on November 11th, 2002 KDE is a popular open source graphical desktop environment for Unix workstations. Its kdenetwork module contains a LAN browsing implementation known as LISa, which is used to identify CIFS and other servers on the local network. LISa consists of two main modules: "lisa", a network daemon, and "resLISa", a restricted version of the lisa daemon created by Alexander Neundorf. LISa's lisa module can be accessed in KDE using the URL type "lan://"; the resLISa module can be accessed using the URL type "rlan://".


Local exploitation of a buffer overflow within the resLISa module
could allow an attacker to gain elevated privileges. The overflow
exists in the parsing of the LOGNAME environment variable; an overly
long value will overwrite the instruction pointer, thereby allowing
an attacker to seize control of the executable. The following is a
snapshot of the exploit in action:

[email protected]:~$ ./reslisa_bof
[email protected]:~$ NetManager::prepare: listen failed
sh-2.05a$ id
uid=1000(farmer) gid=1000(farmer) groups=1000(farmer)

While the attacker's privileges have not been escalated, the
following shows the creation of a raw socket that is accessible by
the attacker:

[email protected]:~$ lsof | grep raw
sh 1413 farmer 3u raw 1432 00000000:0001->00000000:0000 st=07

[email protected]:~$ cd /proc/1413/fd/
[email protected]:/proc/1413/fd$ ls -l
total 0
lrwx------ 1 farmer farmer 64 Oct 11 02:47 0 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 1 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 2 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 255 -> /dev/pts/3
lrwx------ 1 farmer farmer 64 Oct 11 02:47 3 -> socket:[1432]
l-wx------ 1 farmer farmer 64 Oct 11 02:47 4 -> /dev/null
lrwx------ 1 farmer farmer 64 Oct 11 02:47 5 -> socket:[1433]


Local attackers can use access to a raw socket to sniff network
traffic and generate malicious traffic (such as network scans, ARP
redirects, DNS poisoning). This can lead to further compromise of the
target system as well as other neighboring systems, depending on
network trust relationships.


This vulnerability exists in all versions of resLISa included within
kdenetwork packages found in versions of KDE before 3.0.5. To
determine if a specific implementation is vulnerable issue the
following commands:

$ LOGNAME=`perl -e 'print "A"x5000'`
$ `which reslisa` -c .

If the application exits, printing "signal caught: 11, exiting", then
it is vulnerable. The above example was performed on resLISa version
0.1.1 which is packaged and distributed with Debian 3.0r0.


KDE 3.0.5 fixes this vulnerability, as well as a remotely exploitable
buffer overflow found in LISa by Olaf Kirch of SuSE Linux AG. More
information about the fix is available at Individual Unix vendors should be
providing updated KDE distributions on their appropriate download

Lisa 0.2.2, which also fixes these issues and compiles independent of
KDE, can be downloaded at


The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
assigned the identification number CAN-2002-1247 to this issue.


10/02/2002 Issue disclosed to iDEFENSE
10/31/2002 Maintainer, Alexander Neundorf ([email protected]),
and Linux Security list ([email protected]) notified
10/31/2002 Response received from Alexander Neundorf
11/01/2002 iDEFENSE clients notified
11/11/2002 Coordinated public disclosure


Texonet ( discovered this vulnerability.

Get paid for security research

Subscribe to iDEFENSE Advisories:
send email to [email protected], subject line: "subscribe"


iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,

- -dave

David Endler, CISSP
Director, Technical Intelligence
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

[email protected]

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »