oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

deepin-clone: various symlink attacks

From: Matthias Gerstner <mgerstner () suse de>
Date: Thu, 4 Jul 2019 14:59:14 +0200
Hello,

deepin-clone [1] is a command line and graphical disk backup utility
that is part of the deepin desktop environment (a desktop environment
focused on Chinese users).

In the course of a review [2] of polkit privileges used by the
application the following major security issues have been found:

CVE-2019-13227) in GUI mode deepin-clone creates
  `/tmp/.deepin-clone.log` as root and follows symlinks there.
  
CVE-2019-13226) `Helper::temporaryMountDevice()` uses a predictable path
  `/tmp/.deepin-clone/mount/<block-dev-basename>` to temporarily mount a
  file system there. These paths can be prepared by an attacker and
  symlinks will be followed during mounting. If the attacker wins a race
  condition by quickly entering the mount point then it can also prevent
  the following unmount. This logic can e.g. be triggered by running
  `deepin-clone -i /dev/sdX`.

  An attacker can thus cause the file system to be permanently mounted
  at an arbitrary location in the file system.

CVE-2019-13229) `Helper::getPartitionSizeInfo()` uses /tmp/partclone.log
  as a fixed path during execution of partclone. The same issues about
  symlink attacks etc.  like in 1) apply here.

CVE-2019-13228) similarly in `BootDoctor::fix()` the fixed path
  `/tmp/repo.iso` is created and the fixed directory /tmp/.deepin-clone
  is used. The same concerns as in 1) and 3) apply. By winning a race
  condition to replace the `/tmp/repo.iso` symlink by an attacker
  controlled iso file further privilege escalation may be possible.

The issues have been fixed via the upstream commit [3].

Best Regards

Matthias

[1]: https://github.com/linuxdeepin/deepin-clone
[2]: https://bugzilla.suse.com/show_bug.cgi?id=1130388
[3]: https://github.com/linuxdeepin/deepin-clone/commit/e079f3e2712b4f8c28e3e63e71ba1a1f90fce1ab

-- 
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah
HRB 21284 (AG Nuernberg)

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: