Comment 0 for bug 893821

Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh that could allow a malicious user to execute arbitrary code as the user that is logged into the current X session. The prerequisites for the attack are as follows:

1.) The attacker must be able to run a malicious application on the system. This may not be a mitigating factor on a multi-user system with a malicious user.

2.) gnome-settings-daemon, kpowersave, xfce4-power-manager, guidance-power-manager.py, or dalston-power-applet cannot be running. Note that while one of these programs may be configured to run automatically, it is possible that known denial of service attacks may exist.

3.) powerbtn.sh must be triggered. This may happen by pressing a power button in a bare-metal installation or by virsh shutdown in a virtualized environment.

Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:

su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus org.kde.kded"

A malicious user may be running a "fake" kded4 binary which has a malicious DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject shell commands that would be expanded as $XUSER. This opens up the possibility of the attacker running code as $XUSER.