[kde-security-preannounce] Privilege Escalation via KDE Clock KCM polkit helper

Jonathan Riddell jr at jriddell.org
Thu Nov 6 16:10:52 UTC 2014


This advisory, named timeshockbleed by the media, has now been made public.

https://www.kde.org/info/security/advisory-20141106-1.txt

Jonathan


On Tue, Nov 04, 2014 at 05:54:30PM +0100, David Edmundson wrote:
>  Jonathan told me to post this here:
> 
>  KDE Project Security Advisory
>  =============================
> 
>  Title: A  A  A  A  A kde-workspace: Privilege Escalation via KDE Clock KCM polkit helperA 
> 
>  Risk Rating:    Medium(?)
>  CVE:            requested. Not been given one yet
>  Platforms:      All
>  Versions:       kde-workspace < 4.14.3
>  Author:         David Edmundson <davidedmundson at kde.org>
>  Date:           4 November 2014
> 
>  Overview
>  ========
> 
>  KDE workspace configuration module for setting the date and time has a helper program
>  which runs as root for performing actions. This is secured with polkit.
> 
>  This helper takes the name of the ntp utility to run as an argument. This allows a hacker
>  to run any arbitrary command as root under the guise of updating the time.
> 
>  Impact
>  ======
> 
>  An application can gain root priveledges from an admin user with either misleading information
>  or no interaction.
> 
>  On some systems the user will be shown a prompt to change the time. However, if the system has
>  policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user
>  without any prompts.
> 
> 
>  Workaround
>  ==========
> 
>  Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action
> 
>  Solution
>  ========
> 
>  Upgrade kde-desktop to 4.14.3 once released or apply the following patch:
>  https://git.reviewboard.kde.org/r/120977/

> _______________________________________________
> Kde-security-preannounce mailing list
> Kde-security-preannounce at kde.org
> https://mail.kde.org/mailman/listinfo/kde-security-preannounce



More information about the release-team mailing list