Bug 498957

Summary: [CVE-2024-37408] Security attention for fingerprint
Product: [Plasma] policykit-kde-agent-1 Reporter: Yaron Shahrabani <sh.yaron>
Component: generalAssignee: Unassigned bugs <unassigned-bugs-null>
Status: CONFIRMED ---    
Severity: major CC: drf, jgrulich, jreznik, kde, kde, kdedev, nate, security
Priority: NOR    
Version First Reported In: master   
Target Milestone: ---   
Platform: Kubuntu   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=505177
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Yaron Shahrabani 2025-01-21 12:03:42 UTC 
SUMMARY
When fingerprint is configured, launching pkexec will prompt for my fingerprint, I can send this window to the background which could serve an attacker to do some malicious actions on my behalf.

STEPS TO REPRODUCE
(On a machine with fingerprint authentication configured)
1. Open a terminal
2. Run "pkexec whoami"
3. Observe the PolicyKit dialog
4. Send the dialog to the background
5. Tap the fingerprint reader

OBSERVED RESULT
The terminal will display root although the PolicyKit window wasn't even focused.

EXPECTED RESULT
The fingerprint should be handled only when the PolicyKit dialog is focused and in the front, otherwise the fingerprint should affect.

SOFTWARE/OS VERSIONS
Operating System: Kubuntu 24.10
KDE Plasma Version: 6.1.5
KDE Frameworks Version: 6.6.0
Qt Version: 6.6.2
Kernel Version: 6.11.0-13-generic (64-bit)
(Although irrelevant)

ADDITIONAL INFORMATION
The CVE is much wider but this is one of the ways to exploit this vulnerability in KDE (Doesn't happen in GNOME).
Comment 1 David Redondo 2025-01-21 14:32:52 UTC 
Please see https://kde.org/info/security/ the next time
Comment 2 David Edmundson 2025-01-21 15:11:16 UTC 
Bug report is valid.  Arguably if you have executable code that can launch pkexec and manipulate window stacking order one could do a tonne of other attacks anyway so not more urgent than the known state, but the known state isn't exactly great.

Ultimately we need to be treating this auth dialog to be a fully blocking system component, like how the lockscreen works.
Comment 3 Yaron Shahrabani 2025-01-21 21:31:00 UTC 
Sorry about reporting the wrong way. 

Although blocking the screen is a good option there's another way which is implemented in Mac, the fingerprint is being recognized only if the authentication screen is focused, I'm not sure it's possible.

I can try and put my hands on some screenshots.