[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: KLineEdit Security
From:       "Martin T. Sandsmark" <sandsmark () samfundet ! no>
Date:       2009-05-21 23:16:40
Message-ID: 200905220116.41030.sandsmark () samfundet ! no
[Download RAW message or body]

On Friday 22. May 2009 00:41:54 you wrote:
> did you read my notice on "absolute paths required", what is (basically)
> checked through argv[0] by the app itself

Well, you can't trust the app that is run as a user. What if I LD_PRELOAD in a 
small library only overriding strcmp? "Of course "/usr/foo" is the same as 
"/home/bar"" :-)

> again: that's no system à la Ubuntu. absolutely not designed to be "end
> user clicks with a mouse" friendly. it's actually pretty inconvenient...
> :-(
>
> if you manage to replace the app in it's absolute path, or e.g. chroot or
> manipulate the init process, you're of course in, but in your last mail you
> just had user access, not root one ;-P

I'm not sure I understand you. What checks the path?

> the problem i did not adress was a MitM attack, but the key events are
> usually signed by the KB (the crucial part here is that the app needs a
> reliable idea about the valid keyboards signing key - what means: it's
> compiled in and when loaded watched against writing attempts - though as
> mentioned it should not be possible to link some user lib in as e.g.
> LD_PRELOAD is simply ignored...)

Well, you still assume that the app can trust itself.

> if the app doesn't get a signed event it won't react and if you type and
> the little dot's dont appear in the box that ought to have grabbed the
> keyboard, you should start worrying and STOP typing ;-P

What if it isn't the right box that appears, but an identical one, only that 
it doesn't care about signed keyboard events (and logs everything you write)? 
The app doesn't know, and has the right absolute path, only a tiny library 
preloaded in.

> (the MitM attack itself won't be trivial anway, as the input device
> dispatcher only allows one client at a time and yells a messagebox when
> another client wants to registrate, including its full path. the dispatcher
> runs as a special user and gets launched during sysinit... and you still
> don't have root access =P )

This would potentially also be extremely annoying.
For example, what about a griefing attack, where people put hidden iframes on 
websites with password dialogs on them, just to annoy the heck out of you? :-)

(I'm sure there's much better examples, but it is getting late here now.)

-- 
martin t. sandsmark

 
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread]