Password Disclosure for SMB Shares in KDE's Konqueror


| Password Disclosure for SMB Shares in KDE's Konqueror |



Date: Nov. 29, 2004

Author: Daniel Fabian

Product: KDE, Konquerer

Vendor: KDE e. V. (

Vendor-Status: vendor contacted

Vendor-Patches: none available so far

Attack Vector: Local





The KDE program Konquerer allows for browsing SMB shares comfortably

through the GUI. By placing a shortcut to an SMB share on KDE's

desktop, an attacker can disclose his victim's password in





Affected Versions


The problem has been successfully reproduced with KDE 3.2.1 on a

standard SuSE 9.1 distribution. I have not been able to reproduce

the issue on a KDE 3.3.0, however the developers of KDE claimed

that there might be a related issue in both KDE 3.3 as well as the

upcoming KDE 3.4.




Vendor Status


The vendor has been notified and was very cooperative. We set a

coordinated disclosure date to Nov. 10th. However Nov. 10th passed,

without a patch available. My mail for a new date has gone

unanswered for more than two weeks now, so I suppose it is ok to

release this advisory, very much so since this is not an issue that

can be widely exploited anyway.






Opening the URL "smb:/" in Konquerer allows KDE users to browse the

local network for SMB shares. Upon selecting a computer, the user

has to enter a password, if access to that computer is resticted.

While the URL of the SMB share correctly does not show the password

in Konqueror's address bar, this can be easily bypassed by copying

a shortcut to a certain share to the desktop.


The created desktop icon will be given a name (and address) following

this scheme:




The password can be read in plaintext by an attacker. So while a

colleague is getting some coffee or having a short nap at

his desk, it is most easy to get the password of his open

SMB shares.






Oct. 06: Discovery of the vulnerability

Oct. 10: Initial vendor reply

Nov. 10: Planed coordinated disclosure

Nov. 29: Final disclosure




Counter Measures


Until a patch is available, just lock your computer every time

you leave it (should be done regardless of this issue).



EOF Daniel Fabian / @2004

d.fabian at sec-consult dot com






SEC Consult Unternehmensberatung GmbH


Buero Wien

Blindengasse 3

A-1080 Wien



Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office at sec-consult dot com