[kde-security-preannounce] Privilege Escalation via KDE Clock KCM polkit helper
jr at jriddell.org
Thu Nov 6 16:10:52 UTC 2014
This advisory, named timeshockbleed by the media, has now been made public.
On Tue, Nov 04, 2014 at 05:54:30PM +0100, David Edmundson wrote:
> Jonathan told me to post this here:
> KDE Project Security Advisory
> Title: A A A A A kde-workspace: Privilege Escalation via KDE Clock KCM polkit helperA
> Risk Rating: Medium(?)
> CVE: requested. Not been given one yet
> Platforms: All
> Versions: kde-workspace < 4.14.3
> Author: David Edmundson <davidedmundson at kde.org>
> Date: 4 November 2014
> KDE workspace configuration module for setting the date and time has a helper program
> which runs as root for performing actions. This is secured with polkit.
> This helper takes the name of the ntp utility to run as an argument. This allows a hacker
> to run any arbitrary command as root under the guise of updating the time.
> An application can gain root priveledges from an admin user with either misleading information
> or no interaction.
> On some systems the user will be shown a prompt to change the time. However, if the system has
> policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user
> without any prompts.
> Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action
> Upgrade kde-desktop to 4.14.3 once released or apply the following patch:
> Kde-security-preannounce mailing list
> Kde-security-preannounce at kde.org
More information about the release-team