A vulnerability has been identified in the library libinput, which provides a unified input stack for Wayland and X.Org Server (CVE not assigned), allowing to achieve code execution with root rights by connecting a local user to a virtual input device emulated in user space via uinput or uhid. Issue fixed in releases 1.31.3 and 1.30.4.
The vulnerability is present in the udev handler libinput-device-group and caused by the lack of proper escaping of special characters in attributes received from devices and transmitted to the udev subsystem in the form “key=value”. By substituting the newline character (“n”) into the attribute, you can add your own udev rule, for example, by executing the uinput command UI_SET_PHYS(“pocn=”). To execute arbitrary commands with root rights, it is enough to substitute the udev property “REMOVE_CMD” in a similar way.
To exploit the vulnerability, the attacker must have access to the /dev/uinput or /dev/uhid device. Usually only the root user has access to uinput and uhid, but some distributions provide udev rules that allow unprivileged users to create devices via uinput. For example, in Fedora, similar rules are set when installing the steam-devices, antimicrox and kdeconnectd packages. A prototype