kdesudo+dolphin leads to command execution vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dolphin (Ubuntu) |
Invalid
|
Medium
|
Martin Böhm | ||
kdesudo (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: kdesudo
It is not clear whether or not this defect is in kdesudo or dolphin, but I will mark both and let you guys decide.
STEPS:
(1) In dolphin, create a folder called: "test; konqueror" (without quotes)
(2) Right click it, under Actions, choose run as root
WHAT HAPPENS:
(1) Dolphin opens folder "test" as root
(2) Konqueror, after a few seconds, pops up, running as root
EXPECTED BEHAVIOR:
Dolphin should just pop up navigated to the "test; konqueror" folder as root.
This allows folder names to be crafted in a way that causes an unexpected command to be executed with elevated privileges when the user simply wants to navigate to that folder with elevated privileges.
In IRC, fdoving and I tried various combinations of quoting the %u and kdesu arguments in /usr/share/
The basic problem is that kdesu should not be interpreting its arguments as shell code, or dolphin should be shell-escaping its arguments before feeding to kdesu.
Since the other bug was marked as a dup of this, I'll note again that you can fix accidental manifestations of this problem (e.g. a folder called New Folder) by quoting the %u in d3lphin_su, but that won't stand up to deliberate attacks.