[Konsole-devel] KDE 4 Konsole DBus works -- security objections, privilege escalation possible

Lars Doelle lars.doelle at on-line.de
Mon May 4 20:05:43 UTC 2009 

Hi All,

if i read the patch from 3/1/09 right, it allows to simulate keystrokes remotely.

+   * Sends @p text to the current foreground terminal program.
+   */
+  Q_SCRIPTABLE  void sendText(const QString& text) const;

From the patch, an even easier to abuse facility existed or exists.

-<node>
-  <interface name="org.kde.konsole.KonsoleScripting">
-    <method name="feedAllSessions">
-      <arg name="text" type="s" direction="in"/>
-    </method>
-    <method name="sendAllSessions">
-      <arg name="text" type="s" direction="in"/>
-    </method>
-  </interface>
-</node>


IMHO, these are all not features, but classical security holes,
since the konsole may run sessions with different privileges.

Assuming, even if the script runs locally with user rights, the feature has no means
to /contain/ the script within the right boundaries of the user. Typically, and i do not
think my usage is very special, i run several sessions with a variety of rights and/or
machines. 

'sendAllSessions' allows right escalation, if one of the sessions is e.g. a root shell.
The current patch allows this too, though perhaps by paging through the sessions.

Technically, if i run the make or install script of unknown software, i cannot longer be
sure that it will be contained within the rights (or even machine) i started it, at least
as soon as do this work while just running /any/ konsole. How shall i know if this
software contains malicious scripting via konsole automation or not? Is this feature
deactivated by default? Are there any means to deactivate it at all? Would deactivation
of the feature help against any malicious program executing with user rights at all,
if it could active the feature?

Other of the scripting features, e.g. starting sessions, are far less critical, IMO.

Thus, for security reasons, i strongly vote against any feature allowing to pass
keystrokes via automation through the konsole to the inferior program.


Kind regards,

  Lars

More information about the konsole-devel mailing list