Date: Tue, 4 Nov 2014 15:12:25 +0100 From: David Edmundson <davidedmundson@....org> To: oss-security@...ts.openwall.com Subject: Privilege Escalation via KDE Clock KCM polkit helper Hello, I found a security issue in KDE which under Ubuntu and some other distros allows a program to run arbitrary processes as root from an admin user without any prompts. I need a CVE number. I understand you are an authority that can provide this. Let me know if I can help provide anything else. KDE Project Security Advisory ============================= Title: kde-workspace: Risk Rating: Medium (??) CVE: ??? Platforms: All Versions: kde-workspace < 4.14.3 Author: David Edmundson <davidedmundson@....org> Date: 4 November 2014 Overview ======== KDE workspace configuration module for setting the date and time has a helper program which runs as root for performing actions. This is secured with polkit. This helper takes the name of the ntp utility to run as an argument. This allows a hacker to run any arbitrary command as root under the guise of updating the time. Impact ====== An application can gain root priveledges from an admin user with either misleading information or no interaction. On some systems the user will be shown a prompt to change the time. However, if the system has policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user without any prompts. Workaround ========== Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action Solution ======== Upgrade kde-desktop to 4.14.3 once released or apply the following patch: https://git.reviewboard.kde.org/r/120977/ Credits ======= Thanks to David Edmundson for finding and fixing the issue
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ