Re: dbus denial of service: CVE-2022-42010, -42011, -42012

[Demi Marie Obenour <demi () invisiblethingslab com>]

On Thu, Oct 06, 2022 at 04:40:10PM +0100, Simon McVittie wrote:
> On Thu, 06 Oct 2022 at 10:53:15 -0400, Demi Marie Obenour wrote:
> > Is the memory corruption potentially exploitable for local privilege
> > escalation?
>
> It is not known to be, but also not known not to be. I'm sure a
> sufficiently creative attacker can convert almost any memory corruption
> into arbitrary code execution, but exploit development is not my job
> (I'd rather fix the vulnerabilities!), so I have not attempted to
> weaponize this.

I, too, am not an exploit developer, but I agree with your conclusion.

> > Are clients using libdbus vulnerable if they are behind dbus-broker?
>
> I don't maintain dbus-broker and have not tested or audited it, so
> I don't know how much validation it does. I would hope that it would
> detect and prevent CVE-2022-42011 and CVE-2022-42010 (which involve
> invalid messages), but probably not CVE-2022-42012 (which involves a
> message that is odd but technically valid).

Should different-endian messages over AF_UNIX sockets just be rejected
outright?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Attachment: signature.asc
Description: