privilage escalation in clock kcontrol

Bug #1389665 reported by Jonathan Riddell on 2014-11-05
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kde-workspace (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Utopic
Undecided
Unassigned
Vivid
Undecided
Unassigned

Bug Description

KDE Project Security Advisory
=============================

Title: kde-workspace: Privilege Escalation via KDE Clock KCM polkit helper

Risk Rating: Medium(?)
CVE: requested. Not been given one yet
Platforms: All
Versions: kde-workspace < 4.14.3
Author: David Edmundson <email address hidden>
Date: 4 November 2014

Overview
========

KDE workspace configuration module for setting the date and time has a helper program
which runs as root for performing actions. This is secured with polkit.

This helper takes the name of the ntp utility to run as an argument. This allows a hacker
to run any arbitrary command as root under the guise of updating the time.

Impact
======

An application can gain root priveledges from an admin user with either misleading information
or no interaction.

On some systems the user will be shown a prompt to change the time. However, if the system has
policykit-desktop-privileges installed, the datetime helper will be invoked by an admin user
without any prompts.

Workaround
==========

Add a polkit rule to disable the org.kde.kcontrol.kcmclock.save action

Solution
========

Upgrade kde-desktop to 4.14.3 once released or apply the following patch:

Jonathan Riddell (jr) wrote :

to be made public on 6th November
I have a vivid package ready to upload

Jonathan Riddell (jr) wrote :
Jonathan Riddell (jr) wrote :
Jonathan Riddell (jr) wrote :
Jamie Strandboge (jdstrand) wrote :

Thanks for the patches. Unfortunately, due to bug #1047417, precise has been updated with 4.8.5 and so much of kde needs to be rebuilt against the security pocket for this security update.

Jamie Strandboge (jdstrand) wrote :

(meaning, the update will be delayed)

Jamie Strandboge (jdstrand) wrote :

Ah, it appears only kdepimlibs needs a no change rebuild (we already updated other bits in the security ppa previously).

Changed in kde-workspace (Ubuntu Precise):
status: New → In Progress
Changed in kde-workspace (Ubuntu Trusty):
status: New → In Progress
Changed in kde-workspace (Ubuntu Utopic):
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

Precise FTBFS:
../../../kcontrol/dateandtime/helper.cpp: In function 'QString findNtpUtility()':
../../../kcontrol/dateandtime/helper.cpp:54:80: error: 'exePath' was not declared in this scope
make[5]: *** [kcontrol/dateandtime/CMakeFiles/kcmdatetimehelper.dir/helper.o] Error 1
make[5]: Leaving directory `/«PKGBUILDDIR»/obj-x86_64-linux-gnu'
make[4]: *** [kcontrol/dateandtime/CMakeFiles/kcmdatetimehelper.dir/all] Error 2
make[4]: *** Waiting for unfinished jobs....

is this patch from upstream?

Changed in kde-workspace (Ubuntu Precise):
status: In Progress → Incomplete
Jamie Strandboge (jdstrand) wrote :

What is happening is that kcontrol/dateandtime/helper.cpp is missing:
// We cannot rely on the $PATH environment variable, because D-Bus activation
// clears it. So we have to use a reasonable default.
static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");

This was apparently added in a previous commit. Jonathon, can you confirm that adding the above to the patch is all that is needed?

Jamie Strandboge (jdstrand) wrote :

(sorry, I of course meant Jonathan).

Jonathan Riddell (jr) wrote :
Jonathan Riddell (jr) wrote :

Upstream patch gone public, debdiffs updated with final version
https://www.kde.org/info/security/advisory-20141106-1.txt

Jamie Strandboge (jdstrand) wrote :

FYI, the updated precise patch looks like it will still FTBFS in dateandtime/helper.cpp. Have you built and tested these locally?

Jamie Strandboge (jdstrand) wrote :

FYI, updating the updated patch and also using exePath with findExe() for hwclock and zic like on 4.11.

Changed in kde-workspace (Ubuntu Precise):
status: Incomplete → In Progress
Changed in kde-workspace (Ubuntu Utopic):
status: In Progress → Fix Committed
Changed in kde-workspace (Ubuntu Trusty):
status: In Progress → Fix Committed
information type: Private Security → Public Security
Jonathan Riddell (jr) wrote :

This is now allocated CVE-2014-8651

building locally now..

Changed in kde-workspace (Ubuntu Precise):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-workspace - 4:4.8.5-0ubuntu0.4

---------------
kde-workspace (4:4.8.5-0ubuntu0.4) precise-security; urgency=medium

  [ Jonathan Riddell ]
  * SECURITY UPDATE: Privilege Escalation via KDE Clock KCM polkit helper
   - Add upstream_clock-privilage-escalation.diff, checks which
     binary is being run
   - https://www.kde.org/info/security/advisory-20141106-1.txt
   - LP: #1389665

  [ Jamie Strandboge ]
  * update upstream_clock-privilage-escalation.diff to add exePath definition
    to fix a FTBFS, and also use exePath with hwclock and zic, like on newer
    releases
 -- Jamie Strandboge <email address hidden> Thu, 06 Nov 2014 14:22:00 -0600

Changed in kde-workspace (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-workspace - 4:4.11.12-0ubuntu1.1

---------------
kde-workspace (4:4.11.12-0ubuntu1.1) utopic-security; urgency=medium

  * SECURITY UPDATE: Privilege Escalation via KDE Clock KCM polkit helper
   - Add upstream_clock-privilage-escalation.diff, checks which
     binary is being run
   - https://www.kde.org/info/security/advisory-20141106-1.txt
   - LP: #1389665
 -- Jonathan Riddell <email address hidden> Wed, 05 Nov 2014 13:10:05 +0100

Changed in kde-workspace (Ubuntu Utopic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kde-workspace - 4:4.11.11-0ubuntu0.2

---------------
kde-workspace (4:4.11.11-0ubuntu0.2) trusty-security; urgency=medium

  * SECURITY UPDATE: Privilege Escalation via KDE Clock KCM polkit helper
   - Add upstream_clock-privilage-escalation.diff, checks which
     binary is being run
   - https://www.kde.org/info/security/advisory-20141106-1.txt
   - LP: #1389665
 -- Jonathan Riddell <email address hidden> Wed, 05 Nov 2014 13:14:49 +0100

Changed in kde-workspace (Ubuntu Trusty):
status: Fix Committed → Fix Released
Changed in kde-workspace (Ubuntu Vivid):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers