Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Sep 2012 08:43:29 +0200
From: Sebastian Krahmer <krahmer@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: Re: note on gnome shell extensions


Yes, Vincent Untz did:

https://bugzilla.gnome.org/show_bug.cgi?id=684215

Sebastian

On Mon, Sep 17, 2012 at 02:28:23PM -0600, Vincent Danen wrote:
> * [2012-09-13 17:43:16 -0600] Kurt Seifried wrote:
>
> Has anyone reported this to upstream yet?
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 09/13/2012 11:59 AM, Tavis Ormandy wrote:
>>> Vincent Danen <vdanen@...hat.com> wrote:
>>>
>>>> * [2012-09-13 18:03:33 +0200] Marcus Meissner wrote:
>>>>
>>>>> On Thu, Sep 13, 2012 at 05:39:57PM +0200, Tavis Ormandy wrote:
>>>>>> On Mon, Sep 10, 2012 at 02:48:38PM -0600, Vincent Danen
>>>>>> wrote:
>>>>>>> * [2012-09-08 18:14:10 -0600] Kurt Seifried wrote: SUSE has
>>>>>>> some interesting info in their bug:
>>>>>>>
>>>>>>> https://bugzilla.novell.com/show_bug.cgi?id=779473#c4
>>>>>>>
>>>>>>> By the sounds of it, this should be harmless.  Vincent Untz
>>>>>>> says that the browser plugin doesn't actually install the
>>>>>>> extensions, it's passed to another process via a dbus call
>>>>>>> to gnome-shell, which sends the uuid of the extension to
>>>>>>> the extensions.gnome.org web site in order to download the
>>>>>>> extension.
>>>>>>>
>>>>>>> See:
>>>>>>>
>>>>>>> http://git.gnome.org/browse/gnome-shell/tree/js/ui/shellDBus.js#n305
>>>>>>>
>>>
>>>>>>>
>> http://git.gnome.org/browse/gnome-shell/tree/js/ui/extensionDownloader.js#n27
>>>>>>>
>>>>>>> which is:
>>>>>>>
>>>>>>> let message = Soup.form_request_new_from_hash('GET',
>>>>>>> REPOSITORY_URL_INFO, params);
>>>>>>>
>>>>>>> And REPOSITORY_URL_INFO is hardcoded earlier:
>>>>>>>
>>>>>>> const REPOSITORY_URL_BASE = 'https://extensions.gnome.org';
>>>>>>> const REPOSITORY_URL_DOWNLOAD = REPOSITORY_URL_BASE +
>>>>>>> '/download-extension/%s.shell-extension.zip'; const
>>>>>>> REPOSITORY_URL_INFO     = REPOSITORY_URL_BASE +
>>>>>>> '/extension-info/'; const REPOSITORY_URL_UPDATE   =
>>>>>>> REPOSITORY_URL_BASE + '/update-info/';
>>>>>>>
>>>>>>> I don't think this is something that can be exploited,
>>>>>>> based on the above.
>>>>>>
>>>>>> Not sure I follow the logic, can't I just upload something
>>>>>> malicious to extensions.gnome.org and then force you to
>>>>>> download it? I mean, I can try it if you're not convinced
>>>>>> it's possible.
>>>>>
>>>>> There are supposed to be reviewers before it gets activated,
>>>>> but exactly this concern Sebastian also voiced.
>>>>>
>>>>>> They surely do not have a magical technique for determining
>>>>>> if my code is or can become malicious.
>>>>>
>>>>> Exactly.
>>>>
>>>> Yeah, this is definitely a possibility, but could happen
>>>> regardless of this with some social engineering (hey, download my
>>>> cool foo extension!) and have something malicious up there.  This
>>>> is pretty much the same thing, just making it easier.
>>>
>>> Well, no. This is like saying it's pointless to patch
>>> vulnerabilities, because I can just make you download malware. You
>>> can't just make me download malware, because I know how to make
>>> trust decisions.
>>>
>>> You could make me download a malicious gnome extension, because you
>>> can do so without interaction or my consent.
>>>
>>>> It's not much different than having a malicious app in the
>>>> iTunes/Android/Whatever app store.  The flaw there isn't so much
>>>> in the app store, but the app.  Wouldn't the same thought apply
>>>> here?
>>>>
>>>
>>> I've uploaded my malicious android app, how do I make you install
>>> it?
>>>
>>> I can create http://foo.com/malware.rpm, that's clearly not a
>>> vulnerability and working as designed. But if I can force you to
>>> download and install it without you having the opportunity to make
>>> a trust decision, that clearly is a vulnerability.
>>>
>>> Do you agree that I can upload something malicious to
>>> extensions.gnome.org?
>>>
>>> Do you agree that I can make you install it without consent,
>>> interaction, or the opportunity to make a trust decision?
>>>
>>> If so, then I don't understand the objection :-)
>>>
>>> Tavis.
>>
>> Please use CVE-2012-4427 for this issue.
>>
>>
>>
>> - --
>> Kurt Seifried Red Hat Security Response Team (SRT)
>> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.12 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>>
>> iQIcBAEBAgAGBQJQUm+UAAoJEBYNRVNeJnmTK/AP/3y+9lFhNKhkJ8tAbPoW4BY5
>> l9SRL8b0ikcTH8YgyvUKGj/QErVru1s9V3yLmgXJB3KSPFexGscHQFMGs1zwA1ap
>> LetcxqmOQjCYW+lffqDqBqP8CsL/6acTSUjbEIlhYn9qBPH+rLYlb9i1Hv3zw2Fj
>> h8sD7kTnLJQurcEUB36IuMWncG+ffYlulPam/Jvhr7UpEsBDHzPm1zSJMTaKFxKk
>> eQzGBEuEEZKwcvLXk/6ZR2hqq4B5DBatft39UXGFJlcqUG+EpRcI20Ra4Np1DlKi
>> cQ3hJYAU9je2nmCV48ihNIFY2t8DNCthfqld6xDOaZxRd+GWhOPDR4PifDtO07mF
>> vBpBqXCrOPNybIX3Kt+Lpbt+NqQCRfI0zgG0ipIoNPVGhSeq37flOOeLTC29rYRb
>> Dk0ZARTq00TAJ8mq7FctU31S8qnLjgcjiKoFI9UUU+zk3WL3i6OjfNdkkTWV7T9i
>> hYLkAkPg8OcDm/bOfWnxzLNZRo24bwWi/1ftj0sIs8xOO4QbE94y2/c5Byb0I/2k
>> TIqQdRVruqLLSQ0md7kgxLvkVybzy2A4FYToKMiwmeMByR54C/H/e5TGOxmVLPeD
>> ceqfTyZi2Zp7zWSEgFIwaG6jXD/HV9cpDyQnYeKVaVITCDSPGJgXYN6RZkkpKSEk
>> 3dm76Lc9jTSfg2PeY1Pb
>> =rsga
>> -----END PGP SIGNATURE-----
>
> -- 
> Vincent Danen / Red Hat Security Response Team 

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer@...e.de - SuSE Security Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ