CVE CyberSecurity Database News

CVE-2024-5148 - Critical Flaw in gnome-remote-desktop Lets Local Attackers Steal RDP Keys

Poster -

Published: June 2024
Severity: High
Component: gnome-remote-desktop
Exploit: Local privilege escalation, credential leak

Introduction

Recently, a significant security flaw has been discovered in the gnome-remote-desktop package affecting Linux systems. Tracked as CVE-2024-5148, this vulnerability could allow unauthorized system users to steal sensitive RDP TLS certificate and key material, leading to possible session hijacking or man-in-the-middle attacks. This post offers a deep-dive into what CVE-2024-5148 is, why it’s dangerous, how it can be exploited, and ways to protect yourself.

What is gnome-remote-desktop?

gnome-remote-desktop is a component for GNOME desktops that enables users to connect remotely using protocols like RDP or VNC. This is often used for remote administration or screen sharing.

What’s the Issue? (Summary of CVE-2024-5148)

The vulnerability lies in how the gnome-remote-desktop system daemon uses D-Bus methods to manage client connections, especially when transitioning from the login screen (GDM) to a user desktop session.

Due to poor validation, a local user with access to the system D-Bus can impersonate a valid session agent. This means they can access internal functions and gain sensitive data, including the RDP TLS certificate and private key, used to secure remote connections.

Technical Details & Flow

When a user connects using Remote Desktop Protocol (RDP), the gnome-remote-desktop daemon manages incoming sessions over D-Bus. It is supposed to ensure that only authorized session agents (the legitimate GNOME session processes) can transition the session from GDM (login) to the logged-in user.

The Flaw:
There is inadequate validation of which session agent is talking to gnome-remote-desktop over D-Bus. An unprivileged local user on the system could send specially crafted D-Bus messages, pretending to be a legitimate session agent.

If successful, gnome-remote-desktop would *think* the user session has taken over the RDP connection. It then exposes the TLS certificate and private key used for RDP, thinking this is part of the correct hand-off procedure.

Process connects to the system D-Bus and talks to the gnome-remote-desktop daemon.

3. Process mimics the transition call (intended for legitimate session agents) to move the RDP session from GDM to the attacker’s session.
4. gnome-remote-desktop, due to the lack of proper checks, accepts the request and hands out the RDP certificate and key.
5. The attacker now possesses the secrets and can hijack remote desktop connections or set up man-in-the-middle attacks.

Code Snippet: Simulated D-Bus Call

Here’s a Python example (using PyDBus) of how an attacker could abuse this flaw:

from pydbus import SystemBus

# Connect to the D-Bus system bus
bus = SystemBus()

# gnome-remote-desktop D-Bus name and path
grd_name = "org.gnome.Mutter.RemoteDesktop"
grd_path = "/org/gnome/Mutter/RemoteDesktop"

# Connect to the interface
grd = bus.get(grd_name, grd_path)

# Attempt to transition connection, mimicking legit session agent
try:
    # This method and arguments are illustrative and may need adaptation
    certificate, key = grd.TransitionToUserSession()  # Hypothetical method
    print("Got certificate:\n", certificate)
    print("Got key:\n", key)
except Exception as e:
    print("[!] Exploit failed:", e)

> Note: Actual method names may differ, but the principle is the same.

References & Further Reading

- GNOME GitLab Security Advisory for CVE-2024-5148
- Red Hat Bugzilla Entry
- mitre.org CVE Description

How To Protect Yourself

- Update gnome-remote-desktop. A fixed version is available in most rolling-release Linux distributions.

Limit local user accounts on your systems. Only trusted users should have shell access.

- Monitor for suspicious D-Bus activity using audit logs (auditctl rules can capture D-Bus usage).
- Don’t use RDP/VNC in multi-user environments if you cannot patch or secure your installation.

Conclusion

CVE-2024-5148 is a serious security flaw that highlights the risks of weak authentication in system service protocols like D-Bus. If you use GNOME’s remote desktop features, either at home or in enterprise, make sure your systems are patched. Always be wary of giving shell access to untrusted users, especially on machines exposing remote desktop services.

Timeline

Published on: 09/02/2024 12:15:19 UTC
Last modified on: 11/28/2024 13:37:19 UTC