Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ZOSSoKtF9YjXNKeP@kasco.suse.de>
Date: Tue, 22 Aug 2023 12:49:03 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: openSUSE-welcome: local privilege escalation when choosing XFCE
 desktop layout (CVE-2023-32184)

Hello list,

this report is about a local privilege escalation in the openSUSE-welcome [1]
dialog. Please find the full report below.

Introduction
============

openSUSE-welcome is a small Qt program that is autostarted the
first time a user performs a graphical login. It presents various
documentation and communication resources for the openSUSE distribution.

A peculiarity of the program is that when it is running in an XFCE desktop
environment (`$XDG_CURRENT_DESKTOP` environment variable set to `xfce`), then
also a "customise" button is shown which allows to select between different
XFCE desktop layout presets.

There exists a local privilege escalation issue in this component of
openSUSE-welcome that might allow other local users to execute code in the
context of the user that selects a different XFCE desktop layout using the
openSUSE-welcome dialog.

The Vulnerability
=================

openSUSE-welcome contains only little C++ source code but relies on a couple
of advanced Qt features like QML descriptions that are used to model the
dialog. Due to this, understanding the setup of the XFCE specific customise
button is not straightforward. To understand the vulnerability, though, it is
sufficient to look at the relevant logic that is executed upon button press in
the `PanelLayouter` C++ class.

In `PanelLayouter::applyLayout()` [3] the fixed path "/tmp/layout" is used to
store a tarball containing XFCE configuration files:

    void PanelLayouter::applyLayout(const QString &path)
    {
        if (QFile::exists("/tmp/layout"))
            QFile::remove("/tmp/layout");
    
        QFile layout(path);
        layout.copy("/tmp/layout");
    
        QProcess::startDetached("/usr/bin/python3", {"-c", m_script});
    }

The `path` passed to this function is not an actual file system path, but
refers to a "Qt Resource" file embedded into the openSUSE-welcome application,
that is transparently dealt with by the Qt framework libraries. This explains
the use of a temporary file in this function, to make the data actually
visible for other processes. The tarballs used for this found in the
openSUSE-welcome repository [2].

A Python script embedded into the `PanelLayouter` class (`m_script` member [4])
is used to pass the appropriate tarball to the XFCE4 Python module found
in "/usr/share/xfce4-panel-profiles/xfce4-panel-profiles/panelconfig.py". This
module offers an API to send a desktop layout configuration tarball to the
running XFCE desktop via the D-Bus session bus and process it.

The use of the fixed path "/tmp/layout" is problematic security wise in
multiple ways. The system call sequence from the code above looks like this:

    access("/tmp/layout", F_OK)             = -1 ENOENT (No such file or directory)
    openat(AT_FDCWD, "/tmp", O_RDWR|O_CLOEXEC|O_TMPFILE, 0600) = 55
    linkat(AT_FDCWD, "/proc/self/fd/55", AT_FDCWD, "/tmp/layout", AT_SYMLINK_FOLLOW) = 0
    chmod("/tmp/layout", 0444)              = 0

This of course offers attack surface involving symlink attacks. If the
Linux kernel's symlink protection is off, other users can place symlinks here
to confuse the existence check or to overwrite arbitrary locations (the
`linkat()` call explicitly specifies `AT_SYMLINK_FOLLOW`). By default on
openSUSE we do have symlink protection, however, so this will be thwarted.

What happens if "/tmp/layout" already exists as a regular file, though? The
code above does not perform any error checks. This means a failing
`QFile::remove()` or `QFile.copy()` is not acted upon and the program logic
continues. The result of this will be, if "/tmp/layout" is already existing
and readable, that attacker controlled data is used in the embedded Python
script.

Impact / Exploiting the Issue
=============================

When looking at the logic found in the "panelconfig.py" Python module
one can see that the tarball that is expected as input is supposed to contain
configuration files according to certain name patterns. Among other the script
copies any `*.rc` files found in the tarball into the user's home directory.
The module does have quite some verification logic, but it is contains enough
loopholes to allow to construct a crafted tarball that causes an arbitrary
file in the user's home directory to be overwritten by attacker controlled
data.

The attached `hack_welcome.py` script is a PoC I wrote that demonstrates this,
by replacing the victim user's ".bashrc" file. The impact is arbitrary code
execution in the context of the victim user that runs XFCE, clicks customize
in openSUSE-welcome dialog and chooses one of the layouts. Refer to the PoC
inline documentation for more details.

The only limitation is that the name of the victim's user account needs to be
known in advance. I suspect there are further attack vectors to make this even
simpler. I did not look into the XFCE logic that processes the configuration
received via the session D-Bus. It may be possible to achieve code execution
through a crafted valid XFCE configuration as well, e.g. via harmful
`.desktop` files.

Affectedness
============

All currently maintained versions of openSUSE have been affected by this
issue, but received updates in the meantime. Historically, openSUSE releases
dating back to at least openSUSE Leap 15.2 are affected.

Bugfix
======

Via commit 3c344ad7 [5] the `PanelLayouter` class is changed so that the
input tarball which is actually a Qt resource file is written to a safely
created `QTemporaryFile` instead. Also the embedded Python script is turned
into a dedicated script that is placed on the file system instead.

Updates for the openSUSE-welcome package that contain this bugfix are
available for openSUSE Tumbleweed and openSUSE Leap 15.4 / 15.5.

CVE Assignment
==============

openSUSE-welcome is SUSE owned code, so we assigned CVE-2023-32184 for this
issue.

Timeline
========

2023-07-14: I noticed the use of a fixed temporary path in opensuse-welcome
            and decided to investigate it further.
2023-07-26: I started looking into the security impact and exploit
            possibilities which resulted in the PoC attached to this report.
2023-07-27: I started a security fix process [6] for the openSUSE-welcome package.
2023-07-28: The CVE was assigned for the issue.
2023-08-01: As there was no dedicated maintainer for openSUSE-welcome
            available I developed a fix for this issue myself [7].
2023-08-11: After some delays and peer reviews the fix was merged into the
            github repository.
2023-08-18: Updates with the bugfix for all maintained openSUSE distributions
            have become available by now.
2023-08-22: Publication of all vulnerability details.

References
==========

[1]: https://github.com/openSUSE/openSUSE-welcome
[2]: https://github.com/openSUSE/openSUSE-welcome/tree/v0.1.9/data/qrc/layouts
[3]: https://github.com/openSUSE/openSUSE-welcome/blob/v0.1.9/src/panellayouter.cpp#L38
[4]: https://github.com/openSUSE/openSUSE-welcome/blob/v0.1.9/src/panellayouter.cpp#L7
[5]: https://github.com/openSUSE/openSUSE-welcome/commit/3c344ad7f71d9b67fa8299bfeb3641f5f5d9e6d7
[6]: https://bugzilla.suse.com/show_bug.cgi?id=1213708
[7]: https://github.com/openSUSE/openSUSE-welcome/pull/32

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich

View attachment "hack_welcome.py" of type "text/plain" (5583 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.