Current security issues with KAuth support in KIO
Elvis Angelaccio
elvis.angelaccio at kde.org
Sun Jan 14 10:12:15 UTC 2018
On sabato 13 gennaio 2018 23:55:16 CET, Luca Beltrame wrote:
> (please keep Fabian in CC, he's not subscribed and found out most of the
> issues reported here)
>
> At openSUSE we have to request reviews by the security team before
> new polkit services get accepted. This is the case for the kio
> kauth helper as
> well.
> While the security team raised concerns with the wide capabilities of the
> helper (it can easily be used to do literally everything), we had a look at
> the implementation itself to find some obvious security issues:
>
> - The privilege is persistent for the entire session
No, it's not. Despite the name, 'Persistence=session' just means the
privilege is kept for a few minutes.
> (already fixed).
Why 029da62886e0 was committed without code review?
> - The confirmation prompt for the kauth action use does not
> tell what is going
> to happen. So you might open a file dialog and then instead of opening a
> file, write to /bin/sh.
> - Trivial stack-based buffer overflow in the kauth helper:
> https://cgit.kde.org/kio.git/tree/src/ioslaves/file/sharefd_p.h#n57
> - The socket used to send and receive file descriptors does not
> have any kind
> of permission check. You can easily send fds to and receive fds
> from users of
> the kauth helper on the same machine. (BTW, SocketAddress::length should
> return the actual length of the buffer, currently it adds ~100
> '\0' bytes to
> the end)
>
> In its current state we can not recommend anyone to enable this.
> However, we hope that those issues can be addressed, it does provide some
> useful functionality.
Is someone already working on fixes for the above issues?
>
> Luca Beltrame
> on behalf of the openSUSE KDE Team
Cheers,
Elvis
More information about the Kde-frameworks-devel
mailing list