A series of vulnerabilities have been identified in swhkd (Simple Wayland HotKey Daemon) caused by incorrect handling of temporary files, command line options, and unix sockets. The program is written in Rust and handles hotkeys in Wayland protocol-based environments (a configuration-file-compatible analog of the sxhkd process used in X11-based environments).
The package includes an unprivileged swhks process that performs actions for hotkeys, and a swhkd background process that runs as root and interacts with input devices at the uinput API level. A Unix socket is used to organize the interaction between swhks and swhkd. With the help of Polkit rules, any local user is given the opportunity to run the /usr/bin/swhkd process as root and pass arbitrary parameters to it.
Identified vulnerabilities:
- CVE-2022-27815 - Saving the PID of a process to a file with a predictable name and in a directory writable by other users (/tmp/swhkd.pid). Any user can create a file /tmp/swhkd.pid and put the pid of an existing process into it, which will make it impossible to start swhkd. In the absence of protection against creating symbolic links in /tmp, the vulnerability can be used to create or overwrite files in any system directory (the PID is written to the file) or determine the contents of any file on the system (swhkd prints the entire contents of the PID file to stdout). It is noteworthy that in the released fix, the PID file was moved not to the /run directory, but to the /etc directory (/etc/swhkd/runtime/swhkd_{uid}.pid), where it also does not belong.
- CVE-2022-27814 - By manipulating the "-c" command line option to specify a configuration file, you can determine the existence of any file on the system. For example, to check /root/.somefile, you can run "pkexec /usr/bin/swhkd -d -c /root/.somefile" and if the file is missing, the error "/root/.somefile doesn't exist" will be displayed. As in the case of the first vulnerability, fixing the problem is puzzling - fixing the problem boils down to the fact that the external utility "cat" ('Command::new("/bin/cat").arg(path) is now launched to read the configuration file. output()').
- CVE-2022-27819 - The problem is also related to the use of the "-c" option, specified through which the entire configuration file is loaded and parsed without checking the size and type of the file. For example, to cause a denial of service through the exhaustion of free memory and the creation of parasitic I / O, you can specify a block device at startup ("pkexec /usr/bin/swhkd -d -c /dev/sda") or a character device that issues an infinite stream of data . The problem was solved by resetting privileges before opening the file, but the fix was not complete, as only the user ID (UID) is reset, but the group ID (GID) remains the same.
- CVE-2022-27818 - The /tmp/swhkd.sock file is used to create a Unix socket, which is created in a public writable directory, which leads to similar problems as the first vulnerability (any user can create /tmp/swhkd.sock and generate or intercept keypress events).
- CVE-2022-27817 - Input events are received from all devices and in all sessions, i.e. a user from another Wayland session or from the console can intercept events when other users press hotkeys.
- CVE-2022-27816 - The swhks process, like swhkd, uses the PID file /tmp/swhks.pid in the publicly writable /tmp directory. The problem is similar to the first vulnerability, but not as dangerous, since swhks runs under an unprivileged user.
Source: opennet.ru