Re: libdbus CVE-2012-3524 fix

[Sebastian Krahmer <krahmer () suse de>]

Hi,

On Fri, Sep 14, 2012 at 10:15:42AM +0200, Tomas Hoger wrote:
> On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote:
>
> > The recently discussed libdbus getenv() issue [1] turned out
> > to be easily exploitable on various UNIX systems, including
> > some Linux distributions. Common attack vectors are Xorg and
> > spice-gtk via auto-launching [2].
> > Properly patching requires fixes for libdbus and libgio,
> > depending on which you link your suid binaries.
>
> [ ... ]
>
> > [2] http://stealth.openwall.net/null/dzug.c
>
> Sebastian, can you confirm that this summary completely covers all your
> findings?

Um, I focused on the suid/daemons that we have on our dist, so theres
indeed no claim that the list of attack vectors is complete. I cannot
check any library/pam combination of any UNIX that is outthere. :)
Though, I tried to be as 'complete as possible'.
For example, you can also use su as attack vector if you run systemd
(via pam_systemd and su keeping a parent pam-session as root, triggering
pam_systemd.so load with user given environment; loading libdbus).
And finally pam_ck_connector, but AFAIS this cannot be triggered
as it only runs via login or login managers which dosn't leave room
for DBUS_SYSTEM_BUS_ADDRESS passing so easily.
But you know, these guys are maybe more clever than us and they get more
money for their results. Thats the A in APT. :)

> There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment
> variable in both libdbus and glib/libgio when used in a privileged
> (setuid or setgid) application.
>
> libdbus is currently tracked via CVE-2012-3524, with two known attack
> variants:
> - unixexec:, which is only supported in recent dbus versions (1.5+ from
>   what I can see)
> - autolaunch: combined with malicious PATH setting, leading to
>   execution of the attacker's dbus-launch.  This affects pre-1.5 dbus
>   versions too.

Ok, there is also 'nonce-tcp' which you could use to dump (parts of) secret files.
There is also the option to use a UNIX socket that you dont have write permission
to, writing semi-garbage to it (with root peer credentials), maybe triggering
actions in daemons that are 'unexpected'.


> libgio got CVE-2012-4425:
> - autolaunch: or empty address, combined with PATH setting, similar to
>   the second libdbus variant

Yes, but I didnt check libgio explicitely. There might be other issues lurking inside
libgio.

Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team