Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

CVE-2024-45752: D-Bus service allows configuration by any unprivileged user #473

Closed
hyperair opened this issue Sep 23, 2024 · 2 comments · Fixed by #476
Closed

CVE-2024-45752: D-Bus service allows configuration by any unprivileged user #473

hyperair opened this issue Sep 23, 2024 · 2 comments · Fixed by #476

Comments

@hyperair
Copy link

logiops, in its default configuration, allows any unprivileged user to configure its logid daemon via an unrestricted D-Bus service, including setting malicious keyboard macros. This could potentially enable privilege escalation with minimal user interaction required.

The most basic proof-of-concept assigns a shell command to all buttons for connected peripherals. A more crafty attacker could tailor this operation to specific software used on the system, possibly monitoring the process list and mapping malicious macros at exactly the right moment.

References:
PixlOne added a commit that referenced this issue Sep 28, 2024
@PixlOne
Fix CVE-2024-45752
9495516 
Prevents arbitrary users from accessing d-bus interface. Fixes #473.
This change now requires any application using the LogiOps D-Bus
interface to run as root.
@PixlOne PixlOne mentioned this issue Sep 28, 2024
Merged
@PixlOne
Copy link
Owner

PixlOne commented Sep 28, 2024

@hyperair Thank you for reporting, could you please confirm that this fixes the issue.

@PixlOne PixlOne reopened this Sep 28, 2024
@hyperair
Copy link
Author

hyperair commented Sep 30, 2024
edited
Loading

Yep, I just verified that the updated dbus policy file prevents the exploit script from working.

Note: To anyone testing out the exploit script, back up your logid.cfg first and restore it after

@hyperair hyperair closed this as completed Oct 4, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix CVE-2024-45752 PixlOne/logiops
2 participants
@hyperair @PixlOne