Vigil@nce - KDE: certificate spoofing via KSSL and Rekonq
October 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use an X.509 certificate with a malicious Common
Name, in order to deceive the victim who uses KSSL or Rekonq.
Severity: 1/4
Creation date: 03/10/2011
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The Qt graphic library uses QLabel objects, in order to display a
text area.
The text format is defined in the enum Qt::TextFormat :
– Qt::PlainText : raw text
– Qt::RichText : complex text (table, frame, list, etc.)
– Qt::AutoText : autodetection of PlainText or RichText
By default, QLabel uses the Qt::AutoText format, so it analyzes
the content to detect how to display it.
The KSSL class and the Rekonq browser use a QLabel to display the
Common Name of an X.509 certificate. However, the AutoText default
format is used (instead of PlainText). If the Common Name contains
a table as RichText, its second line is then displayed above the
field.
An attacker can therefore use an X.509 certificate with a
malicious Common Name, in order to deceive the victim who uses
KSSL or Rekonq.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/KDE-certificate-spoofing-via-KSSL-and-Rekonq-11028