CVE-2025-23222

An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus services dont know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldnt be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges.

Weakness

The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is coming from the expected origin.

Potential Mitigations

• Use a mechanism that can validate the identity of the source, such as a certificate, and validate the integrity of data to ensure that it cannot be modified in transit using an Adversary-in-the-Middle (AITM) attack.
• When designing functionality of actions in the URL scheme, consider whether the action should be accessible to all mobile applications, or if an allowlist of applications to interface with is appropriate.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/500.html
• https://cwe.mitre.org/data/definitions/594.html
• https://cwe.mitre.org/data/definitions/595.html
• https://cwe.mitre.org/data/definitions/596.html

References

• https://bugzilla.suse.com/show_bug.cgi?id=1229918
• https://security.opensuse.org/2025/01/24/dde-api-proxy-privilege-escalation.html
• https://www.openwall.com/lists/oss-security/2025/01/24/3