Exploiting dolphin/kate through Konsole on X11

[Emmanuel Pescosta]

Hi,

happy new year!

> Instead I suggest to support performing actions through KAuth.

At least for Dolphin, most of the KAuth support should be added to KIO
itself, so that
all KIO clients benefit from it.
(Something to try out in my semester break ;)

Thanks!

Cheers,
Emmanuel

2016-01-04 17:21 GMT+01:00 Martin Graesslin <mgraesslin at kde.org>:

> Hey,
>
> a happy new year to you! Please note: I'm not subscribed to the mailing
> list,
> so please CC me on replies.
>
> During my too long Christmas break I thought about the security of X11 and
> how
> I could use core X11 features to become root.
>
> Now I sat down and implemented the attached exploit. The key idea is to
> use an
> embedded konsole window in a root owned process and send it key events. See
> the attached README as well. The code is also available on [1].
>
> To make it quite clear: this is not an actual vulnerability in your code,
> it's
> just what X11 does: Wayland will fix it! That's also why I go to public
> mailing
> lists about it and do not contact security at kde.org.
>
> As both dolphin and kate embed konsole I decided to notice both of you. In
> both your cases I have heard of users "having to" run it as root to perform
> various tasks.
>
> My suggestion is that nevertheless you start disallowing running your
> applications as root. Instead I suggest to support performing actions
> through
> KAuth. E.g. Kate could support opening/saving root owned files through a
> KAuth
> action.
>
> Please do not consider checking whether you run on X11. I consider it as
> possible to own the application before you can check whether you are on
> X11.
>
> Cheers
> Martin
>
> [1]
> http://commits.kde.org/scratch/graesslin/exploit-dophin-root-x11/6d0e6da564918f876dd3c1d464727358b60a10d6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20160112/fe728c9c/attachment.htm>