Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 14 Sep 2022 11:56:48 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: insufficiently protected D-Bus interface in KDiskMark 3.0.0
 (CVE-2022-40673)

# Introduction

The SUSE security team has been asked to review changes [1] in the D-Bus
implementation in KDiskMark [2] major version 3.0.0. KDiskMark is a graphical
utility that allows to run performance benchmarks on local file systems.

# Vulnerability

The review of this codebase showed that the D-Bus interface of the privileged
helper program `kdiskmark_helper` is insufficiently secured. Only the helper's
`init()` member function (helper.cpp:51) is protected by the Kauth
framework and thus by Polkit `auth_admin` authentication. Calling the `init()`
method, once authorized, causes the actual Helper D-Bus interface to be
registered on the D-Bus system bus. This means that the usual D-Bus level
autostart of the helper service is not possible, but only users in the system
that authenticate as root are allowed to fully start the helper.

Once the helper *is* started, however, all further D-Bus methods offered by
the helper interface are *not* protected any more. Any user with access to the
D-Bus system bus may invoke them without restrictions. These D-Bus methods
then offer attack surface:

- removeFile: allows to remove arbitrary files in the system (local DoS,
              arbitrary file existence test).
- prepareFile: allows to create large files owned by root in arbitrary locations
              (also via symlinks), the final path component needs to be
	      .kdiskmark.tmp, if not, then kdiskmark itself is DoS'ed, because
              it quits.
- startTest: similar to prepareFile. No arbitrary code execution is possible,
	      because the interface takes mostly integers as input and the
              `fio` sub process command line is carefully constructed.
- flushPageCache: drops the kernel's file system caches, therefore this offers
              a kind of local performance DoS.

# Fixed Version

I informed the review requestor (who is also the upstream author) about the
issue and upstream created a follow-up version 3.1.0 featuring a
fixed approach to authentication.

I obtained CVE-2022-40673 from Mitre to track the lack of proper D-Bus method
authentication in the D-Bus helper program.

# Timeline

2022-08-24: review request for KDiskMark 3.0.0 reached us.
2022-08-31: I started working on the review.
2022-08-31: I informed the upstream author about the vulnerability, offering
            coordinated disclosure and a suggestion on which approach to take
            to fix it.
2022-09-07: Upstream presented version 3.1.0 with an improved
            authentication scheme.
2022-09-12: I performed a follow-up review and found the vulnerability to be
            fixed.
2022-09-13: I requested a CVE for the issue from Mitre.
2022-09-14: There was no formal embargo established, upstream published fixes
	    for the issue right away. Publication of the CVE, Bugzilla bug and
            full report on our end.

# References

[1]: https://bugzilla.suse.com/show_bug.cgi?id=1202725
[2]: https://github.com/JonMagon/KDiskMark.git

Cheers

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.