Friday, May 19, 2017

KDE trickery

I published my writeup about CVE-2017-8422 and CVE-2017-8849,
including the PoC for smb4k.

Note, that this helper is most likely not installed by
default on KDE systems. However, other helpers which are
installed by default are affected too, such as kcm_systemd which
could be leveraged to overwrite arbitrary files.

The most complicated thing about the PoC was to setup
a proper Qt/KDE 4/5 build environment; so I decided to
just use dbus-send with a binary blob instead, rather
than creating my own QVariantMap. 



No comments: