Current security issues with KAuth support in KIO
Luca Beltrame
lbeltrame at kde.org
Sat Jan 13 22:55:16 UTC 2018
(please keep Fabian in CC, he's not subscribed and found out most of the
issues reported here)
At openSUSE we have to request reviews by the security team before
new polkit services get accepted. This is the case for the kio kauth helper as
well.
While the security team raised concerns with the wide capabilities of the
helper (it can easily be used to do literally everything), we had a look at
the implementation itself to find some obvious security issues:
- The privilege is persistent for the entire session (already fixed).
- The confirmation prompt for the kauth action use does not tell what is going
to happen. So you might open a file dialog and then instead of opening a
file, write to /bin/sh.
- Trivial stack-based buffer overflow in the kauth helper:
https://cgit.kde.org/kio.git/tree/src/ioslaves/file/sharefd_p.h#n57
- The socket used to send and receive file descriptors does not have any kind
of permission check. You can easily send fds to and receive fds from users of
the kauth helper on the same machine. (BTW, SocketAddress::length should
return the actual length of the buffer, currently it adds ~100 '\0' bytes to
the end)
In its current state we can not recommend anyone to enable this.
However, we hope that those issues can be addressed, it does provide some
useful functionality.
Luca Beltrame
on behalf of the openSUSE KDE Team
More information about the Kde-frameworks-devel
mailing list