ShadowBlip InputPlumber Polkit Authentication Bypass and Race Condition Vulnerability

A vulnerability in ShadowBlip InputPlumber versions prior to 0.69.0 allows for a Polkit authentication bypass and introduces a race condition in the authorization process. This can lead to unauthorized access to D-Bus methods, enabling UI input injection and potential denial-of-service conditions. The issue arises because Polkit authentication is disabled by default, and when enabled, the authorization check is improperly handled, creating a race condition that can be exploited.

Impact

Exploitation of this vulnerability can bypass Polkit authentication, allowing unauthorized access to D-Bus methods that can inject input into the active user session. This could lead to privilege escalation, as injected input can be used to execute commands or actions as the logged-in user.

Reproduction

The vulnerability can be reproduced by creating a custom build of InputPlumber that enables Polkit authentication. Once this version is installed, the 'CreateCompositeDevice' method can be called with a path to a file that the user would not normally have access to, such as a history file. This demonstrates the lack of proper authorization and the ability to access restricted information. Additionally, the 'CreateTargetDevice' method can be used to create a virtual keyboard device, which can then be used to inject keystrokes into the active session, exploiting the race condition in the Polkit authorization check.

Remediation

Users should update to ShadowBlip InputPlumber version 0.69.0 or later, where these issues have been addressed. However, be aware that the D-Bus API still has some unresolved aspects that could allow for memory exhaustion attacks.