Date: Mon, 17 Sep 2012 09:23:37 +0200 From: Sebastian Krahmer <krahmer@...e.de> To: oss-security@...ts.openwall.com Subject: Re: libdbus CVE-2012-3524 fix Hi, On Fri, Sep 14, 2012 at 10:15:42AM +0200, Tomas Hoger wrote: > On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote: > > > The recently discussed libdbus getenv() issue  turned out > > to be easily exploitable on various UNIX systems, including > > some Linux distributions. Common attack vectors are Xorg and > > spice-gtk via auto-launching . > > Properly patching requires fixes for libdbus and libgio, > > depending on which you link your suid binaries. > > [ ... ] > > >  http://stealth.openwall.net/null/dzug.c > > Sebastian, can you confirm that this summary completely covers all your > findings? Um, I focused on the suid/daemons that we have on our dist, so theres indeed no claim that the list of attack vectors is complete. I cannot check any library/pam combination of any UNIX that is outthere. :) Though, I tried to be as 'complete as possible'. For example, you can also use su as attack vector if you run systemd (via pam_systemd and su keeping a parent pam-session as root, triggering pam_systemd.so load with user given environment; loading libdbus). And finally pam_ck_connector, but AFAIS this cannot be triggered as it only runs via login or login managers which dosn't leave room for DBUS_SYSTEM_BUS_ADDRESS passing so easily. But you know, these guys are maybe more clever than us and they get more money for their results. Thats the A in APT. :) > > There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment > variable in both libdbus and glib/libgio when used in a privileged > (setuid or setgid) application. > > libdbus is currently tracked via CVE-2012-3524, with two known attack > variants: > - unixexec:, which is only supported in recent dbus versions (1.5+ from > what I can see) > - autolaunch: combined with malicious PATH setting, leading to > execution of the attacker's dbus-launch. This affects pre-1.5 dbus > versions too. Ok, there is also 'nonce-tcp' which you could use to dump (parts of) secret files. There is also the option to use a UNIX socket that you dont have write permission to, writing semi-garbage to it (with root peer credentials), maybe triggering actions in daemons that are 'unexpected'. > > libgio got CVE-2012-4425: > - autolaunch: or empty address, combined with PATH setting, similar to > the second libdbus variant Yes, but I didnt check libgio explicitely. There might be other issues lurking inside libgio. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ