Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 5 Aug 2019 15:51:59 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Security issues in various deepin D-Bus services and tools

We've been reviewing a number of D-Bus services and applications that
are part of the deepin desktop environment (a desktop environment
focused on Chinese users). There are a larger number of security related
findings in these components. Since there has been little progress in
the communication with upstream to fully fix these issues for some time
I'm hereby making them available more publicly. It seems to us that
upstream is lacking a designated security contact and a security policy.

deepin-api
==========

This package provides some common system services for the deepin desktop
environment. It employs polkit for permissions management. Full details
can be found in [1]. The following issues have been found:

1) com.deepin.api.Device.conf: The service allows anybody to run
  /usr/sbin/rfkill with arbitrary arguments. Polkit protection is not
  implemented, only a TODO in the source code hints at it.

2) com.deepin.api.SoundThemePlayer.conf: The service allows any user to
  pass arbitrary files to it and it will try to read it in as an audio
  file and play it as `root`.
  While the service supposedly only looks into a couple of system
  directories for the files like in /usr/share/sounds/..., it can be
  tricked by passing relative path components like so:

  ```
  dbus-send --system --print-reply --dest=com.deepin.api.SoundThemePlayer \
     /com/deepin/api/SoundThemePlayer com.deepin.api.SoundThemePlayer.Play \
     string:goodtheme string:../../../../../home/mgerstner/test string:alsa
  ```

  This allows to specify files within user control like e.g. a very big
  file, a specially constructed file that triggers a buffer overflow or
  even a special device file like a FIFO which will DoS the system
  service.

3) com.deepin.api.LocaleHelper: This service employs polkit
  authentication but is using the deprecated unix process subject to do
  so.

  Furthermore in locale-helper/main.go: in doGenLocaleWithParam() it
  calls ("/bin/sh", "-c", cmd) where `cmd` is a user supplied parameter.
  This allows injection of special shell characters that can lead to
  code execution or other unexpected results.

Most of these issues have by now been adressed by upstream in some way.

[1]: https://bugzilla.suse.com/show_bug.cgi?id=1070943

deepin-file-manager
===================

This package provides a file manager for the deepin desktop environment.
Full details about the findings can be found in [2].

com.deepin.pkexec.usb-device-formatter.policy: This allows any locally
logged in regular user to run /usr/bin/usb-device-formatter without any
authentication.

The usb-device-formatter has the following issues:

- it crashes when called without parameters
- It can be used to determine the existence of arbitrary files, since
  all paths can be passed and the error message differentiates between
  not existing and not a block device.
- When operating on a symlinked block device the application allows to
  unmount arbitrary block devices as far as they're not busy.
- The same symlink attack can be used to format arbitrary file systems
  as long as they're not busy.
- it reads from users `~/.pam_environment` w/o any protection. It looks
  like other PAM applications do that as well. Linking /dev/zero there
  causes fun things. This should only be done after dropping privilege
  to the calling user and by not following symlinks.

So this program is certainly not fit to be run without root
authentication.

A couple of the issues have in some way been adressed by upstream, but
some are still incomplete.

The com.deepin.filemanager.daemon.conf D-Bus configuration allows any
user to own the D-Bus service on the system bus, thereby any user can
spoof clients of this service.

None of the exported D-Bus functions is protected by polkit which would
be necessary, as is shown by the following findings:

Findings in the UserShareManager interface:

- setUserSharePassword: allows to set arbitrary users' smb password.
  Changes the database in /var/lib/samba/private. If at all then this
  must only be allowed for the caller's username.
- addGroup: calls `groupadd` so regular users can create arbitrary
  groups.
- addUserToGroup: allows arbitrary users to add arbitrary other users to
  arbitrary other groups. Luckily doesn't work on SUSE, because
  `/usr/sbin/adduser` is called but we have `useradd`.
- restartSambaService calls `smbd restart`

Findings in UsbFormatter:

- mkfs: create jfs, ext2/3/4, btrfs, swap, hfs, dosfs, xfs, reiserfs on
  arbitrary paths. This can overwrite arbitrary regular files, too, if
  they are large enough.

Findings in DeviceInfoManager:

- The methods in this interface are somehwat okay but they still allow
  to call lsblk and various low level file system information tools on
  arbitrary block devices or other paths.

[2]: https://bugzilla.suse.com/show_bug.cgi?id=1134131

deepin-anything
===============

This is a file search tool. Full details about the findings can be found
in [3]. The D-Bus configuration com.deepin.anything.conf allows anybody
to own the service com.deepin.anything on the system bus, thereby any
user can spoof clients of this service. We did not look further into its
code base.

[3]: https://bugzilla.suse.com/show_bug.cgi?id=1136026

Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.