[kde-security-preannounce] Privilege Escalation via KDE Clock KCM polkit helper

Manuel Rüger mrueg at gentoo.org
Thu Nov 6 17:26:11 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Jonathan,
there's a small typo in the advisory:
priveledges should be priviledges

Manuel

On 06.11.2014 17:10, Jonathan Riddell wrote:
> 
> This advisory, named timeshockbleed by the media, has now been made
> public.
> 
> https://www.kde.org/info/security/advisory-20141106-1.txt
> 
> Jonathan
> 
> 
> On Tue, Nov 04, 2014 at 05:54:30PM +0100, David Edmundson wrote:
>> Jonathan told me to post this here:
>> 
>> KDE Project Security Advisory =============================
>> 
>> Title: A  A  A  A  A kde-workspace: Privilege Escalation via KDE
>> Clock KCM polkit helperA
>> 
>> Risk Rating:    Medium(?) CVE:            requested. Not been
>> given one yet Platforms:      All Versions:       kde-workspace <
>> 4.14.3 Author:         David Edmundson <davidedmundson at kde.org> 
>> Date:           4 November 2014
>> 
>> Overview ========
>> 
>> KDE workspace configuration module for setting the date and time
>> has a helper program which runs as root for performing actions.
>> This is secured with polkit.
>> 
>> This helper takes the name of the ntp utility to run as an
>> argument. This allows a hacker to run any arbitrary command as
>> root under the guise of updating the time.
>> 
>> Impact ======
>> 
>> An application can gain root priveledges from an admin user with
>> either misleading information or no interaction.
>> 
>> On some systems the user will be shown a prompt to change the
>> time. However, if the system has policykit-desktop-privileges
>> installed, the datetime helper will be invoked by an admin user 
>> without any prompts.
>> 
>> 
>> Workaround ==========
>> 
>> Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save
>> action
>> 
>> Solution ========
>> 
>> Upgrade kde-desktop to 4.14.3 once released or apply the
>> following patch: https://git.reviewboard.kde.org/r/120977/
> 
>> _______________________________________________ 
>> Kde-security-preannounce mailing list 
>> Kde-security-preannounce at kde.org 
>> https://mail.kde.org/mailman/listinfo/kde-security-preannounce
> 
> _______________________________________________ release-team
> mailing list release-team at kde.org 
> https://mail.kde.org/mailman/listinfo/release-team
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0

iQJ8BAEBCgBmBQJUW68yXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4MDA1RERERkM0ODM2QkE4MEY3NzY0N0M1
OEZCQTM2QzhEOUQ2MzVDAAoJEFj7o2yNnWNcr+UQAK8JIauZ9FA/9T5j4TCWSUUZ
MmsNHx0k0c+peCZuG4IjVcXNrQ+C0T6NOdlS8nlWzHiv7Z6Dki/XBGnZEXcIvPIL
DG0wNySypavEoHZRGnAk4fBcftxUSZN+qdiUw5gib6aWbjGVYQDTd+zsnx//w52q
T1BpTxmm0POQAeglWYoqhkyonkvjKbmB3SaCDj5VrtxGA9ey7KAo9OdQx0iMBZ3B
yrhroDlTkNB3pfMMyjFeDRIbD9GU0yQstBtp6MbamLyJTdHY4wpMJVQefVuRGbgA
bO5hH5sYtX14r36d9wVLwK6gZ3e6TzAWpasS+G0jDBHUT2a/ewmm33qOOVJJExaL
za45lyCCDA1pAR12EKw1N5341JqpQW9FZ2pLl/4ldZpk97ywYqPw1KYALQrAxLPj
sFIBbVdNOgSO4aPjuGWSkFwm4+Ob0Ji2wzF/O0JABqBNxgZeLPas+9Jv7Fggn8Rc
bigsaxxlj2++QnS/N8IhfYm4vsekjy49ZYaY7zR2O5DQKMDYuAlheh/yapL5QPsC
34A68gxn72joKhWRKTXv999CdJ3C2YGtiZTpnbCT8Z3eo3/i1272p0Vi1zImw9uT
XBS8dx9cWHcOb/1zvbHgtdG3B0M4DiapN+WjQKo3A4802C+uLiqmg8miKDfMnwG4
tmL+aStZ8Aqzd8ysw+ws
=B+tO
-----END PGP SIGNATURE-----


More information about the release-team mailing list