KDE Plasma Login Manager Privileged D-Bus Helper Arbitrary File Manipulation Vulnerability

A vulnerability exists in the KDE Plasma Login Manager's D-Bus helper, 'plasmaloginauthhelper', in version 6.6.2. This helper, which runs with root privileges, allows a compromised 'plasmalogin' service account to manipulate files arbitrarily through several methods. The 'sync()' method can be exploited to change file ownerships using symbolic links, while the 'reset()' method can delete arbitrary files by following symlinks. Additionally, the 'save()' method, intended for wallpaper management, can be abused to write files to unintended locations, causing local denial-of-service and integrity issues.

Impact

Exploitation of this vulnerability could lead to unauthorized file ownership changes, arbitrary file deletions, and improper file writes, all of which could be used to escalate privileges or disrupt system integrity.

Reproduction

To reproduce this vulnerability, a 'plasmalogin' service account must be compromised. Once compromised, the 'sync()' method can be called to perform 'chown()' operations on arbitrary files by placing symlinked configuration files in the 'plasmalogin' home directory. The 'reset()' method can be used to delete files outside of the 'plasmalogin' directory by following symlinks. Finally, the 'save()' method can be exploited to write wallpaper files to arbitrary locations by replacing the target directory with a symlink before the files are written.

Remediation

Upstream has acknowledged the vulnerability and a fix is planned for the next Plasma release on May 12, 2026.