search

rbreaves / kinto

Mac-style shortcut keys for Linux & Windows.
http://kinto.sh
GNU General Public License v2.0
4.24k stars 212 forks source link

Security issue: `sudo xkeysnail` without a password allows for privilege escalation (and information leak) #861

Open dguerri opened 3 months ago

dguerri commented 3 months ago

Describe the bug Kinto installs an insecure sudoers configuration in limitedadmins file. This configuration permits executing sudo xkeysnail without requiring a password, and allows the use of arbitrary parameters for xkeysnail. These two facts grant the potential to create a root shell by constructing a specifically crafted Python configuration file.

Screenshot 2024-03-19 at 22 29 31

Another potential misuse involves feeding sensitive files to sudo xkeysnail disguised as configuration files. This trickery can cause xkeysnail to inadvertently print the first line of the file, potentially exposing sensitive information.

Screenshot 2024-03-19 at 22 32 23

Expected behavior

xkeysnail shouldn't be run with sudo insecurely.

Install Type: Bare Metal and VM Distro: Kali Rolling DE: Gnome, XFCE, KDE Branch: master Commit: any

dguerri commented 3 months ago

Moreover, depending on the umask of the system, limitedadmins installation code could make limitedadmins world-readable, which is dangerous.