Replies: 1 comment 1 reply
-
|
You will need to provide a POC of what you are explaining. Otherwise, I would have no way to recreate it on my side and to look for possible solution. As most app, evince does not open URL directly but through To my understanding of Wayland, this is managed by the Wayland compositor (mutter on Gnome, with |
Beta Was this translation helpful? Give feedback.
-
|
The idea is that X (the attacker) implements the Wayland protocol. Instead of talking to a real keyboard and a real mouse, it sends fake key presses and mouse pointer movements to Y (the victim). X doesn't need to replace a Wayland compositor present in the system because the system may run more than one Wayland compositor simultaneously. Whatever legit Wayland compositors are doing, it won't influence the attack. X needs the permission to create a socket though. Providing a POC requires implementing a part of a Wayland compositor, so it is kind of hard for me. |
Beta Was this translation helpful? Give feedback.
-
I believe that there is a vulnerability when a program X opens a hyperlink or a document in a program Y with GUI. Namely, X can partially control Y. Thus X circumvents program isolation enforced by AppArmor. For example, X is Evince and Y is Firefox.
The mechanism of the vulnerability is as follows. When opening a hyperlink or a document, X starts Y as a child process, so X creates environment variables for Y. X creates an environment variable that contains the path to the display server. For example, this environment variable may be
WAYLAND_DISPLAY. X sets the value of this environment variable to the path to the socket that X controls. Hence X controls the GUI of Y.The vulnerability is as grave as the things one can do via the GUI of Y. For example, if a user manages their bank accounts with Firefox, X may steal money.
Beta Was this translation helpful? Give feedback.
All reactions