Current security issues with KAuth support in KIO

Luca Beltrame lbeltrame at kde.org
Sat Jan 13 22:55:16 UTC 2018


(please keep Fabian in CC, he's not subscribed and found out most of the 
issues reported here)

At openSUSE we have to request reviews by the security team before
new polkit services get accepted. This is the case for the kio kauth helper as 
well.
While the security team raised concerns with the wide capabilities of the 
helper (it can easily be used to do literally everything), we had a look at 
the implementation itself to find some obvious security issues:

- The privilege is persistent for the entire session (already fixed).
- The confirmation prompt for the kauth action use does not tell what is going
  to happen. So you might open a file dialog and then instead of opening a 
file, write to /bin/sh.
- Trivial stack-based buffer overflow in the kauth helper:
  https://cgit.kde.org/kio.git/tree/src/ioslaves/file/sharefd_p.h#n57
- The socket used to send and receive file descriptors does not have any kind 
of permission check. You can easily send fds to and receive fds from users of 
the  kauth helper on the same machine.   (BTW, SocketAddress::length should 
return the actual length of the buffer,  currently it adds ~100 '\0' bytes to 
the end)

In its current state we can not recommend anyone to enable this.
However, we hope that those issues can be addressed, it does provide some 
useful functionality.

Luca Beltrame
on behalf of the openSUSE KDE Team



More information about the Kde-frameworks-devel mailing list