InputPlumber Lack of D-Bus Authorization Vulnerability Allowing Denial-of-Service and Privilege Escalation

A vulnerability exists in InputPlumber versions prior to 0.63.0 due to a lack of proper authorization on the InputManager D-Bus interface. This oversight can lead to local denial-of-service conditions, information leaks, and even privilege escalation within the active user session. The D-Bus service, which runs with full root privileges, allows unprivileged users to access methods that can create virtual input devices and inject key presses, potentially facilitating arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a local denial-of-service by exhausting InputPlumber's memory. Additionally, it allows unauthorized access to D-Bus methods that can escalate privileges by injecting input into the active user session, with the possibility of executing arbitrary code in the context of the logged-in user.

Reproduction

The vulnerability can be reproduced by calling D-Bus methods of the InputManager interface without proper authorization. In versions prior to 0.63.0, this can be done by any user on the system. Once the methods are accessed, they can be used to create virtual input devices that inject key presses into the active session.

Remediation

Users are advised to update InputPlumber to version 0.69.0 or later, where the D-Bus authorization issues have been addressed. However, be aware that some aspects of the vulnerability may still persist due to the D-Bus API not fully being updated to use file descriptors instead of paths, which can lead to memory exhaustion in InputPlumber.