Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Sep 2012 17:43:16 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Tavis Ormandy <taviso@...xchg8b.com>
Subject: Re: Re: note on gnome shell extensions

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/13/2012 11:59 AM, Tavis Ormandy wrote:
> Vincent Danen <vdanen@...hat.com> wrote:
> 
>> * [2012-09-13 18:03:33 +0200] Marcus Meissner wrote:
>> 
>>> On Thu, Sep 13, 2012 at 05:39:57PM +0200, Tavis Ormandy wrote:
>>>> On Mon, Sep 10, 2012 at 02:48:38PM -0600, Vincent Danen
>>>> wrote:
>>>>> * [2012-09-08 18:14:10 -0600] Kurt Seifried wrote: SUSE has
>>>>> some interesting info in their bug:
>>>>> 
>>>>> https://bugzilla.novell.com/show_bug.cgi?id=779473#c4
>>>>> 
>>>>> By the sounds of it, this should be harmless.  Vincent Untz
>>>>> says that the browser plugin doesn't actually install the
>>>>> extensions, it's passed to another process via a dbus call
>>>>> to gnome-shell, which sends the uuid of the extension to
>>>>> the extensions.gnome.org web site in order to download the
>>>>> extension.
>>>>> 
>>>>> See:
>>>>> 
>>>>> http://git.gnome.org/browse/gnome-shell/tree/js/ui/shellDBus.js#n305
>>>>>
>
>>>>> 
http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionDownloader.js#n27
>>>>> 
>>>>> which is:
>>>>> 
>>>>> let message = Soup.form_request_new_from_hash('GET', 
>>>>> REPOSITORY_URL_INFO, params);
>>>>> 
>>>>> And REPOSITORY_URL_INFO is hardcoded earlier:
>>>>> 
>>>>> const REPOSITORY_URL_BASE = 'https://extensions.gnome.org';
>>>>> const REPOSITORY_URL_DOWNLOAD = REPOSITORY_URL_BASE + 
>>>>> '/download-extension/%s.shell-extension.zip'; const 
>>>>> REPOSITORY_URL_INFO     = REPOSITORY_URL_BASE +
>>>>> '/extension-info/'; const REPOSITORY_URL_UPDATE   =
>>>>> REPOSITORY_URL_BASE + '/update-info/';
>>>>> 
>>>>> I don't think this is something that can be exploited,
>>>>> based on the above.
>>>> 
>>>> Not sure I follow the logic, can't I just upload something
>>>> malicious to extensions.gnome.org and then force you to
>>>> download it? I mean, I can try it if you're not convinced
>>>> it's possible.
>>> 
>>> There are supposed to be reviewers before it gets activated,
>>> but exactly this concern Sebastian also voiced.
>>> 
>>>> They surely do not have a magical technique for determining
>>>> if my code is or can become malicious.
>>> 
>>> Exactly.
>> 
>> Yeah, this is definitely a possibility, but could happen
>> regardless of this with some social engineering (hey, download my
>> cool foo extension!) and have something malicious up there.  This
>> is pretty much the same thing, just making it easier.
> 
> Well, no. This is like saying it's pointless to patch
> vulnerabilities, because I can just make you download malware. You
> can't just make me download malware, because I know how to make
> trust decisions.
> 
> You could make me download a malicious gnome extension, because you
> can do so without interaction or my consent.
> 
>> It's not much different than having a malicious app in the 
>> iTunes/Android/Whatever app store.  The flaw there isn't so much
>> in the app store, but the app.  Wouldn't the same thought apply
>> here?
>> 
> 
> I've uploaded my malicious android app, how do I make you install
> it?
> 
> I can create http://foo.com/malware.rpm, that's clearly not a
> vulnerability and working as designed. But if I can force you to
> download and install it without you having the opportunity to make
> a trust decision, that clearly is a vulnerability.
> 
> Do you agree that I can upload something malicious to
> extensions.gnome.org?
> 
> Do you agree that I can make you install it without consent,
> interaction, or the opportunity to make a trust decision?
> 
> If so, then I don't understand the objection :-)
> 
> Tavis.

Please use CVE-2012-4427 for this issue.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQUm+UAAoJEBYNRVNeJnmTK/AP/3y+9lFhNKhkJ8tAbPoW4BY5
l9SRL8b0ikcTH8YgyvUKGj/QErVru1s9V3yLmgXJB3KSPFexGscHQFMGs1zwA1ap
LetcxqmOQjCYW+lffqDqBqP8CsL/6acTSUjbEIlhYn9qBPH+rLYlb9i1Hv3zw2Fj
h8sD7kTnLJQurcEUB36IuMWncG+ffYlulPam/Jvhr7UpEsBDHzPm1zSJMTaKFxKk
eQzGBEuEEZKwcvLXk/6ZR2hqq4B5DBatft39UXGFJlcqUG+EpRcI20Ra4Np1DlKi
cQ3hJYAU9je2nmCV48ihNIFY2t8DNCthfqld6xDOaZxRd+GWhOPDR4PifDtO07mF
vBpBqXCrOPNybIX3Kt+Lpbt+NqQCRfI0zgG0ipIoNPVGhSeq37flOOeLTC29rYRb
Dk0ZARTq00TAJ8mq7FctU31S8qnLjgcjiKoFI9UUU+zk3WL3i6OjfNdkkTWV7T9i
hYLkAkPg8OcDm/bOfWnxzLNZRo24bwWi/1ftj0sIs8xOO4QbE94y2/c5Byb0I/2k
TIqQdRVruqLLSQ0md7kgxLvkVybzy2A4FYToKMiwmeMByR54C/H/e5TGOxmVLPeD
ceqfTyZi2Zp7zWSEgFIwaG6jXD/HV9cpDyQnYeKVaVITCDSPGJgXYN6RZkkpKSEk
3dm76Lc9jTSfg2PeY1Pb
=rsga
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ