rbreaves/kinto

Security issue: `sudo xkeysnail` without a password allows for privilege escalation (and information leak)

dguerri opened this issue · 1 comments

Describe the bug
Kinto installs an insecure sudoers configuration in limitedadmins file. This configuration permits executing sudo xkeysnail without requiring a password, and allows the use of arbitrary parameters for xkeysnail. These two facts grant the potential to create a root shell by constructing a specifically crafted Python configuration file.

Screenshot 2024-03-19 at 22 29 31

Another potential misuse involves feeding sensitive files to sudo xkeysnail disguised as configuration files. This trickery can cause xkeysnail to inadvertently print the first line of the file, potentially exposing sensitive information.

Screenshot 2024-03-19 at 22 32 23

Expected behavior

xkeysnail shouldn't be run with sudo insecurely.

Install Type: Bare Metal and VM
Distro: Kali Rolling
DE: Gnome, XFCE, KDE
Branch: master
Commit: any

Moreover, depending on the umask of the system, limitedadmins installation code could make limitedadmins world-readable, which is dangerous.