[krita] [Bug 506889] New: Task injection vulnerability in Krita

Victor Souza bugzilla_noreply at kde.org
Thu Jul 10 22:33:02 BST 2025 

https://bugs.kde.org/show_bug.cgi?id=506889

            Bug ID: 506889
           Summary: Task injection vulnerability in Krita
    Classification: Applications
           Product: krita
      Version First 5.2.9
       Reported In:
          Platform: macOS (DMG)
                OS: macOS
            Status: REPORTED
          Severity: major
          Priority: NOR
         Component: General
          Assignee: krita-bugs-null at kde.org
          Reporter: souza_comz at outlook.com
  Target Milestone: ---

Created attachment 183146
  --> https://bugs.kde.org/attachment.cgi?id=183146&action=edit
POC-OBJC-Krita-Injection

SUMMARY


STEPS TO REPRODUCE
1. Run Krita (/Applications/Krita.app).
2.  Save the following Objective-C code as inject_krita.m. It locates the Krita
process, acquires its task port, maps memory, writes ARM64 shellcode, and
creates a remote thread in the Krita process. The shellcode writes a file to
/tmp/hi_krita
3. Compile the payload: clang -framework Foundation -framework AppKit
inject_krita.m -o inject_krita
4. Create an entitlements file named entitlements.plist with the following
contents:
'''
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>
'''
5. Sign the binary with the entitlement: codesign -s - --entitlements
entitlements.plist --options runtime --force inject_krita
6. Run inject_krita
7. If successful, krita will exit and the payload will create /tmp/hi_krita
with the contents pwn\n, confirming code execution inside the Krita process.
8. cat /tmp/hi_krita

OBSERVED RESULT
task_for_pid() returns KERN_SUCCESS for the Krita process.
Remote memory mapping, shellcode injection, and thread creation succeed.
The Krita process executes attacker-controlled code.


EXPECTED RESULT
Krita release builds should not include com.apple.security.get-task-allow. This
entitlement is intended only for development/debugging builds.
In production, it should be removed to prevent task port abuse and unauthorized
code injection by local processes.

SOFTWARE/OS VERSIONS
macOS: 15.5 (Sequoia), Apple Silicon
Linux/KDE Plasma: N/A
KDE Plasma Version: N/A
KDE Frameworks Version: N/A

ADDITIONAL INFORMATION
To verify the entitlement in the Krita binary, run:         
 codesign -dvvvv --entitlements - /Applications/krita.app 

To disable it, just uncheck the options in the hardened runtime in Xcode.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the kde-mac mailing list