Exploiting dolphin/kate through Konsole on X11
Martin Graesslin
mgraesslin at kde.org
Mon Jan 4 16:21:27 GMT 2016
Hey,
a happy new year to you! Please note: I'm not subscribed to the mailing list,
so please CC me on replies.
During my too long Christmas break I thought about the security of X11 and how
I could use core X11 features to become root.
Now I sat down and implemented the attached exploit. The key idea is to use an
embedded konsole window in a root owned process and send it key events. See
the attached README as well. The code is also available on [1].
To make it quite clear: this is not an actual vulnerability in your code, it's
just what X11 does: Wayland will fix it! That's also why I go to public mailing
lists about it and do not contact security at kde.org.
As both dolphin and kate embed konsole I decided to notice both of you. In
both your cases I have heard of users "having to" run it as root to perform
various tasks.
My suggestion is that nevertheless you start disallowing running your
applications as root. Instead I suggest to support performing actions through
KAuth. E.g. Kate could support opening/saving root owned files through a KAuth
action.
Please do not consider checking whether you run on X11. I consider it as
possible to own the application before you can check whether you are on X11.
Cheers
Martin
[1] http://commits.kde.org/scratch/graesslin/exploit-dophin-root-x11/6d0e6da564918f876dd3c1d464727358b60a10d6
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CMakeLists.txt
Type: text/x-cmake
Size: 609 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20160104/106bc500/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exploit.cpp
Type: text/x-c++src
Size: 2074 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20160104/106bc500/attachment.cpp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: README.md
Type: text/markdown
Size: 712 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20160104/106bc500/attachment.md>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20160104/106bc500/attachment.sig>
More information about the kfm-devel
mailing list