Vulnerabilities in SWHKD, Hot Key Manager for Wayland

swhkd (Simple Wayland Hotkey Daemon) Detected A series of vulnerabilities caused by incorrect work with temporary files, command line parameters and UNIX sockets. The program is written in the Rust language and performs the processing of the press of hot keys in the environment based on the Wayland protocol (compatible configuration file level an analogue of the SXHKD process used in the environment at x11).

The package includes an unprivileged SWHKS process that performs actions for hot keys, and the SWHKD background process, executed with ROOT rights and interacting with the input devices at the API level uinput . UNIX socket is used to organize SWHKS and SWHKD interaction. With the help of Polkit Rules, any local user is given the ability to run with ROOT / USR / BIN / SWHKD and transmission of arbitrary parameters.

Revealed Vulnerabilities:

  • CVE-2022-27815 – Saving the PID process into a file with a predictable name and in the catalog accessible to other users recording (/tmp/swhkd.pid). Any user can create a /tmp/swhkd.pid file and place the PID of the existing process in it, leading to the impossibility of running SWHKD. If there is no protection against creating symbolic references in / TMP, vulnerability can be used to create or overwrite files in any system directory (PID is written to the file) or defining the contents of any file in the system (SWHKD displays the entire contents of the PID file to stdout). It is noteworthy that in the released Correction PID file was not transferred to the / Run catalog, but in the catalog / etc (/etc/swhkd/runtime/swhkd_ouid}.pid), where it is also not a place.
  • CVE-2022-27814 – manipulating the command line parameter “-c” used for Specifying the configuration file, you can determine the existence in the system of any file. For example, to check /ROot/.somefile, you can run “PKEXEC / USR / BIN / SWHKD -D -C /ROOT/.somefile” and if the file is missing, the error “/ROot/.somefile dooxn’t exist” will be displayed. As in the case of the first vulnerability of Correction Problems causes bewilderment – Elimination of the problem is reduced to the fact that Read configuration file is now running an external “CAT” utility (‘Command :: New (“/ Bin / Cat”). Arg (Path) .output ()’).
  • CVE-2022-27819
/Media reports.