oss-sec mailing list archives
Re: libdbus CVE-2012-3524 fix
From: Sebastian Krahmer <krahmer () suse de>
Date: Mon, 17 Sep 2012 09:23:37 +0200
Hi, On Fri, Sep 14, 2012 at 10:15:42AM +0200, Tomas Hoger wrote:
On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote:The recently discussed libdbus getenv() issue [1] turned out to be easily exploitable on various UNIX systems, including some Linux distributions. Common attack vectors are Xorg and spice-gtk via auto-launching [2]. Properly patching requires fixes for libdbus and libgio, depending on which you link your suid binaries.[ ... ][2] http://stealth.openwall.net/null/dzug.cSebastian, can you confirm that this summary completely covers all your findings?
Um, I focused on the suid/daemons that we have on our dist, so theres indeed no claim that the list of attack vectors is complete. I cannot check any library/pam combination of any UNIX that is outthere. :) Though, I tried to be as 'complete as possible'. For example, you can also use su as attack vector if you run systemd (via pam_systemd and su keeping a parent pam-session as root, triggering pam_systemd.so load with user given environment; loading libdbus). And finally pam_ck_connector, but AFAIS this cannot be triggered as it only runs via login or login managers which dosn't leave room for DBUS_SYSTEM_BUS_ADDRESS passing so easily. But you know, these guys are maybe more clever than us and they get more money for their results. Thats the A in APT. :)
There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment variable in both libdbus and glib/libgio when used in a privileged (setuid or setgid) application. libdbus is currently tracked via CVE-2012-3524, with two known attack variants: - unixexec:, which is only supported in recent dbus versions (1.5+ from what I can see) - autolaunch: combined with malicious PATH setting, leading to execution of the attacker's dbus-launch. This affects pre-1.5 dbus versions too.
Ok, there is also 'nonce-tcp' which you could use to dump (parts of) secret files. There is also the option to use a UNIX socket that you dont have write permission to, writing semi-garbage to it (with root peer credentials), maybe triggering actions in daemons that are 'unexpected'.
libgio got CVE-2012-4425: - autolaunch: or empty address, combined with PATH setting, similar to the second libdbus variant
Yes, but I didnt check libgio explicitely. There might be other issues lurking inside libgio. Sebastian -- ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer () suse de - SuSE Security Team
Current thread:
- libdbus CVE-2012-3524 fix Sebastian Krahmer (Sep 12)
- Re: libdbus CVE-2012-3524 fix Kurt Seifried (Sep 13)
- Re: libdbus CVE-2012-3524 fix Tomas Hoger (Sep 14)
- Re: libdbus CVE-2012-3524 fix Sebastian Krahmer (Sep 17)