Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Oct 2016 13:15:18 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: fd.o #98157: dbus format string vulnerability fixed in 1.10.12

Bug tracked as: https://bugs.freedesktop.org/show_bug.cgi?id=98157
Versions affected: dbus >= 1.4.0
Mitigated in: dbus >= 1.9.10, 1.8.x >= 1.8.16, 1.6.x >= 1.6.30
Fixed in: dbus >= 1.11.6, 1.10.x >= 1.10.12, 1.8.x >= 1.8.22
Exploitable by: local users
Impact: unknown, possibly arbitrary code execution
Reporter: Simon McVittie, Collabora Ltd.

D-Bus <http://www.freedesktop.org/wiki/Software/dbus/> is an
asynchronous inter-process communication system, commonly used
for system services or within a desktop session on Linux and other
operating systems.

A format string vulnerability in the reference bus implementation,
dbus-daemon, could potentially allow local users to cause arbitrary
code execution or denial of service.

In versions of dbus-daemon that are also vulnerable to CVE-2015-0245,
this format string vulnerability is available to all local users.
These versions should be patched or updated immediately.

In versions of dbus-daemon where CVE-2015-0245 was already fixed, this
is not believed to be exploitable in practice, because the relevant
message is ignored unless it comes from the owner of the bus name
org.freedesktop.systemd1. On the system bus, this bus name is only
allowed to be owned by uid 0; it is intended to be owned by systemd,
and no mechanism is currently known by which an attacker who does not
already have root privileges could induce systemd to send messages
that would trigger the format string vulnerability.

Patching or updating dbus-daemon is strongly recommended. A minimal
patch is attached to this advisory.

Please reference fd.o #98157 or
<https://bugs.freedesktop.org/show_bug.cgi?id=98157> in any notices
that refer to this vulnerability.

Regards,
    S
-- 
Simon McVittie
Collabora Ltd. <https://www.collabora.com/> / Debian <https://www.debian.org/>

From 91ec6a05612492b845c8cbde3ad42b29569fe7af Mon Sep 17 00:00:00 2001
From: Simon McVittie <simon.mcvittie@...labora.co.uk>
Date: Fri, 7 Oct 2016 19:13:01 +0100
Subject: [PATCH] dbus_activation_systemd_failure: do not use non-literal
 format string

In principle this could lead to arbitrary memory overwrite via
a format string attack in the message received from systemd,
resulting in arbitrary code execution.

This is not believed to be an exploitable security vulnerability on the
system bus in practice: it can only be exploited by the owner of the
org.freedesktop.systemd1 bus name, which is restricted to uid 0, so
if systemd is attacker-controlled then the system is already doomed.
Similarly, if a systemd system unit mentioned in the activation failure
message has an attacker-controlled name, then the attacker likely already
has sufficient access to execute arbitrary code as root in any case.

However, prior to dbus 1.8.16 and 1.9.10, due to a missing check for
systemd's identity, unprivileged processes could forge activation
failure messages which would have gone through this code path.
We thought at the time that this was a denial of service vulnerability
(CVE-2015-0245); this bug means that it was in fact potentially an
arbitrary code execution vulnerability.

Bug found using -Wsuggest-attribute=format and -Wformat-security.

Signed-off-by: Simon McVittie <simon.mcvittie@...labora.co.uk>
Reviewed-by: Colin Walters <walters@...bum.org>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=98157
---
 bus/activation.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bus/activation.c b/bus/activation.c
index 2c5ef9d..1e59190 100644
--- a/bus/activation.c
+++ b/bus/activation.c
@@ -2222,7 +2222,7 @@ dbus_activation_systemd_failure (BusActivation *activation,
                              DBUS_TYPE_STRING, &code,
                              DBUS_TYPE_STRING, &str,
                              DBUS_TYPE_INVALID))
-    dbus_set_error(&error, code, str);
+    dbus_set_error (&error, code, "%s", str);
 
 
   if (unit)
-- 
2.9.3



[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ