Current security issues with KAuth support in KIO

Fabian Vogt fabian at ritter-vogt.de
Mon Feb 5 08:13:29 UTC 2018


Hi,

Am Sonntag, 4. Februar 2018, 23:47:26 CET schrieb Albert Astals Cid:
> So we're having KF5 5.43 next week, has this been figured out?

not quite, but it's on the right track (unlikely for 5.43 though). See below.

Cheers,
Fabian

> I find this thread ended too open ended for my taste.
> 
> Cheers,
>   Albert
> 
> El dissabte, 13 de gener de 2018, a les 23:55:16 CET, Luca Beltrame va 
> escriure:
> > (please keep Fabian in CC, he's not subscribed and found out most of the
> > issues reported here)
> > 
> > At openSUSE we have to request reviews by the security team before
> > new polkit services get accepted. This is the case for the kio kauth helper
> > as well.
> > While the security team raised concerns with the wide capabilities of the
> > helper (it can easily be used to do literally everything), we had a look at
> > the implementation itself to find some obvious security issues:
> > 
> > - The privilege is persistent for the entire session (already fixed).

Not fixed, needs some rework.

> > - The confirmation prompt for the kauth action use does not tell what is
> > going to happen. So you might open a file dialog and then instead of
> > opening a file, write to /bin/sh.

Not fixed, probably needs some changes in KAuth or at the very least splitting
the current action into multiple ones.

> > - Trivial stack-based buffer overflow in the kauth helper:
> >   https://cgit.kde.org/kio.git/tree/src/ioslaves/file/sharefd_p.h#n57

Fixed.

> > - The socket used to send and receive file descriptors does not have any
> > kind of permission check. You can easily send fds to and receive fds from
> > users of the  kauth helper on the same machine.

Fixed.

> > (BTW,
> > SocketAddress::length should return the actual length of the buffer, 
> > currently it adds ~100 '\0' bytes to the end)

Fixed.

> > 
> > In its current state we can not recommend anyone to enable this.
> > However, we hope that those issues can be addressed, it does provide some
> > useful functionality.
> > 
> > Luca Beltrame
> > on behalf of the openSUSE KDE Team
> 
> 
> 
> 
> 






More information about the Kde-frameworks-devel mailing list