CVE-2024-36041 - KSmserver in KDE Plasma – How Local Attackers Can Hijack Your Session (And What To Do About It)

On June 6th, 2024, the KDE project disclosed a serious security issue affecting the KSmserver component in KDE Plasma Workspace. The flaw, tracked as CVE-2024-36041, enables any other local user on your machine to interfere with your desktop session through the session manager, potentially leading to code execution with your user privileges.

In this deep dive, we’ll break down what CVE-2024-36041 is, how it can be exploited, and what you should do to stay safe.

What is KSmserver?

KSmserver is the KDE Session Manager, a key component in Plasma Desktop environments. It handles session saving, restoration, and management—everything you enjoy when KDE remembers your opened apps after a reboot.

What is ICE?

The Inter-Client Exchange (ICE) protocol is a legacy X11 mechanism used for communication between applications and services on the same machine. KSmserver uses ICE to let apps talk to the session manager—for example to register themselves when saving and restoring the desktop session.

Where’s the problem?

In affected versions of KDE Plasma Workspace (before 5.27.11.1 and 6.x before 6..5.1), KSmserver trusts any local ICE connection just because it originates from the same host (your computer). There’s no meaningful authentication to verify if the connecting process belongs to your user.

> In simple terms: If someone else has a user account on your computer and KDE is running under your login, they can connect to your KDE session manager—even if they don’t know your password or have elevated privileges.

Why is this dangerous?

By connecting to KSmserver, a malicious local user can tell it to restore a specific app (or a “fake” app) during your next login. If that “fake” app is a script or binary of their choosing, it will run with your user permissions after you reboot and login. This is a classic *persistence* and *privilege* escalation tactic.

How Could Someone Exploit This? (Step by Step)

Let’s walk through a simplified (but realistic) attack. Assume Alice and Bob are users on the same Linux setup. Alice logs into KDE; Bob is a low-privilege user with shell access.

1. Bob places a malicious script in /tmp/evilscript.sh

echo '#!/bin/bash
xmessage "Your session is pwned!"
' > /tmp/evilscript.sh
chmod +x /tmp/evilscript.sh

### 2. Bob uses the ICE protocol (*via a helper tool or custom code*) to connect to Alice’s KSmserver and registers /tmp/evilscript.sh as a session app to be restored for Alice.

This can be done with tools like iceauth or custom scripts using the XSMP (X Session Management Protocol), which rides over ICE.

Python exploit snippet

*Note: Actual exploitation requires detailed protocol interaction. Here's a metaphorical, simplified code block showing the idea.*

# This is conceptual - not production-ready!
from pyice import open_ice_connection   # Hypothetical ICE python lib

session_manager = open_ice_connection('localhost', )  # Connects to local ICE server
session_manager.send_restore_command('/tmp/evilscript.sh')
session_manager.close()

*No actual Python ICE library exists for generic exploitation; real-world PoC would use C.*

### 3. Alice reboots and logs back in. KSmserver dutifully executes /tmp/evilscript.sh as Alice.

Alice is greeted with a message... or worse, her sensitive data gets exfiltrated.

Original references

- KDE Security Advisory: CVE-2024-36041
- Red Hat Bugzilla Report
- GitLab KDE Merge Request

From the official KDE advisory

> “KSmserver prior to 5.27.11.1 and 6..5.1 accepts ICE connections from all local users for the session management protocol, which allows these users to add arbitrary commands to the session restore list for other users.”

Who Is Vulnerable?

You are at risk if:

Multiple users have accounts on your Linux or *BSD machine.

On single-user systems, the practical risk is much lower, but the code flaw is still present.

You’re not affected if you’re on the current patched KDE Plasma or if only you (or only trusted people) have user accounts.

Run your package manager update! For example

# Fedora/Red Hat
sudo dnf upgrade plasma-workspace

# Debian/Ubuntu
sudo apt update && sudo apt upgrade plasma-workspace

Check your Plasma version

plasmashell --version

Ensure it’s 5.27.11.1 or higher for 5.x, or 6..5.1 or higher for 6.x.

Restrict login access for untrusted users.

- Watch /tmp for suspicious scripts; clean out /tmp at every boot.
- Use pam_tmpdir or similar so users can’t access each other’s /tmp files.

Why Was This Bug Possible?

It’s a classic case of assumptions made in decades-old code. ICE originated in the 198s/90s X11 world, when multi-user systems were mostly trusted environments. Security wasn’t baked into local inter-process communication.

Modern workstations now expect more isolation between users—even on the same PC. KDE’s patch adds robust authentication, so only your processes can talk to your session manager.

Conclusion

CVE-2024-36041 reminds us that even local-only vulnerabilities can be devastating, especially on shared systems. The KDE devs responded quickly with a fix; users just need to update.

If your system is multi-user and runs KDE, update now!

Further Reading & References

- Session Management Protocol (XSMP)
- KDE Security Advisory: CVE-2024-36041
- Red Hat Bug

Timeline

Published on: 07/05/2024 02:15:10 UTC
Last modified on: 07/09/2024 16:22:37 UTC