[kde-security-preannounce] Privilege Escalation via KDE Clock KCM polkit helper
Jonathan Riddell
jr at jriddell.org
Thu Nov 6 16:10:52 UTC 2014
This advisory, named timeshockbleed by the media, has now been made public.
https://www.kde.org/info/security/advisory-20141106-1.txt
Jonathan
On Tue, Nov 04, 2014 at 05:54:30PM +0100, David Edmundson wrote:
> Jonathan told me to post this here:
>
> KDE Project Security Advisory
> =============================
>
> Title: A A A A A kde-workspace: Privilege Escalation via KDE Clock KCM polkit helperA
>
> Risk Rating: Medium(?)
> CVE: requested. Not been given one yet
> Platforms: All
> Versions: kde-workspace < 4.14.3
> Author: David Edmundson <davidedmundson at kde.org>
> Date: 4 November 2014
>
> Overview
> ========
>
> KDE workspace configuration module for setting the date and time has a helper program
> which runs as root for performing actions. This is secured with polkit.
>
> This helper takes the name of the ntp utility to run as an argument. This allows a hacker
> to run any arbitrary command as root under the guise of updating the time.
>
> Impact
> ======
>
> An application can gain root priveledges from an admin user with either misleading information
> or no interaction.
>
> On some systems the user will be shown a prompt to change the time. However, if the system has
> policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user
> without any prompts.
>
>
> Workaround
> ==========
>
> Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action
>
> Solution
> ========
>
> Upgrade kde-desktop to 4.14.3 once released or apply the following patch:
> https://git.reviewboard.kde.org/r/120977/
> _______________________________________________
> Kde-security-preannounce mailing list
> Kde-security-preannounce at kde.org
> https://mail.kde.org/mailman/listinfo/kde-security-preannounce
More information about the release-team
mailing list