InputPlumber is a Linux utility that aggregates and manages physical input devices (keyboards, mice, controllers) into virtual input devices. It exposes a D-Bus system service (e.g., org.shadowblip.InputManager) running with root privileges to perform device actions on behalf of clients.
Because this service runs with high privileges and is exposed system-wide via D-Bus, any flaw in its authorization mechanism is critical — especially when accessible by unprivileged users.
CVE-2025-66005 — Lack of D-Bus Authorization
Affected Versions: InputPlumber before v0.63.0
Severity: High/Critical (local privilege escalation, DoS, information leak)
Root Cause: The InputManager D-Bus service did not enforce any authorization checks on incoming D-Bus method calls. Any local user could connect and call privileged operations without authentication.
Technical Details
- The service exposes roughly 90 properties and ~10 interfaces on the system D-Bus.
- Because there was no authorization logic, any local account (even low-privileged users) could connect and perform sensitive operations.
- Critical D-Bus methods like:
CreateCompositeDeviceCreateTargetDevice
were callable by untrusted clients.
Exploitation Vectors
Attackers can exploit this lack of authorization to do the following:
| Attack Type | How It Works | Impact |
|---|---|---|
| UI Input Injection | Invoke CreateTargetDevice to create a virtual keyboard and inject arbitrary keystrokes into active sessions/terminals. | Command execution in user context. Data theft. Account compromise. |
| Information Disclosure | Use CreateCompositeDevice with crafted file paths to test for existence or read access to sensitive files (e.g., /root/.bash_history). | Reveals sensitive system information not normally accessible to low-privilege users. |
| Denial-of-Service | Pass file paths like /dev/zero to exhaust memory or cause service instability. | System hangs/crashes affecting user input subsystems. |
These techniques effectively provide a local escalation and session hijack path without needing credentials.
CVE-2025-14338 — Polkit Authentication Disabled & Race Conditon
Affected Versions: InputPlumber before v0.69.0
Severity: High/Critical
Root Cause:
Even after authorization was added, it was:
- Disabled by default — Polkit configuration was a compile-time option that wasn’t enabled in many builds.
- Race Condition in Polkit checks — The implementation used the deprecated “unix-process” Polkit subject model, susceptible to PID replacement issues (similar to past Polkit race issues like CVE-2013-4288).
Technical Details
- Versions after v0.63.0 attempted to enforce Polkit authorization, but because:
- The Polkit feature was disabled by default, and
- There was no canonical way in the build system to enable it,
the protection was effectively non-existent.
- The Polkit subject used (unix-process) is unsafe and can be tricked into allowing unauthorized actions via PID races.
- Thus all privileged D-Bus methods remained callable without real authentication until a fixed release.
Why This Matters
Even if authorization code exists, if it’s not enabled or is bypassable via a race condition, the vulnerability reverts to essentially being the same as “no auth at all” — making the system exploitable by local users.
Fixes & Mitigations
The InputPlumber project and SteamOS maintainers have addressed these issues in later releases:
1. Enable Polkit Authentication by Default
Polkit support (Cargo feature) is now enabled by default, requiring clients to pass proper credentials when invoking sensitive APIs.
2. Use Secure Polkit Subject
Instead of unix-process, the service now uses the system bus name subject in Polkit, which is not vulnerable to PID replacement issues.
3. systemd Hardening
The InputPlumber systemd service now uses stricter sandboxing/hardening flags to reduce its attack surface.
4. Distribution Patches
- SteamOS 3.7.20 includes these patches and enforces proper D-Bus authorization.
- Most major distros packaging InputPlumber have updated to v0.69.0+ which contains the fixes.
Recommended Mitigation
If you cannot update immediately:
- Restrict access to the InputPlumber D-Bus service:
Apply aggressive D-Bus policy restrictions (deny non-root connections) until patched. - Review Polkit rules:
Ensure that only trusted users/groups can call InputPlumber methods. - Monitor for abuse patterns:
Look for abnormal device creation or input injection attempts in logs.
Impact Summary
| CVE | Impact Summary | Affected Versions | Fixed In |
|---|---|---|---|
| CVE-2025-66005 | No authorization; local users can perform UI injection, DoS, info leak, escalation | < v0.63.0 | v0.63.0+ (complete in v0.69.0) |
| CVE-2025-14338 | Polkit disabled + race condition; auth bypass | < v0.69.0 | v0.69.0 |
Both CVEs stem from insufficient authentication/authorization in a privileged D-Bus service and highlight how dangerous unguarded IPC services can be on *nix systems.
Lessons for Developers & Administrators
- Never expose privileged services over IPC without strict auth checks.
- Compile-time and build-time options for security must be enabled in shipped builds.
- Race conditions in authorization logic (especially with Polkit) can be as dangerous as having no auth at all.
- Local threats matter: Even unprivileged local users can compromise systems if trusted IPC channels are not locked down.
