Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: libdbus CVE-2012-3524 fix
From: Sebastian Krahmer <krahmer () suse de>
Date: Mon, 17 Sep 2012 09:23:37 +0200

Hi,

On Fri, Sep 14, 2012 at 10:15:42AM +0200, Tomas Hoger wrote:
On Wed, 12 Sep 2012 16:04:33 +0200 Sebastian Krahmer wrote:

The recently discussed libdbus getenv() issue [1] turned out
to be easily exploitable on various UNIX systems, including
some Linux distributions. Common attack vectors are Xorg and
spice-gtk via auto-launching [2].
Properly patching requires fixes for libdbus and libgio,
depending on which you link your suid binaries.

[ ... ]

[2] http://stealth.openwall.net/null/dzug.c

Sebastian, can you confirm that this summary completely covers all your
findings?

Um, I focused on the suid/daemons that we have on our dist, so theres
indeed no claim that the list of attack vectors is complete. I cannot
check any library/pam combination of any UNIX that is outthere. :)
Though, I tried to be as 'complete as possible'.
For example, you can also use su as attack vector if you run systemd
(via pam_systemd and su keeping a parent pam-session as root, triggering
pam_systemd.so load with user given environment; loading libdbus).
And finally pam_ck_connector, but AFAIS this cannot be triggered
as it only runs via login or login managers which dosn't leave room
for DBUS_SYSTEM_BUS_ADDRESS passing so easily.
But you know, these guys are maybe more clever than us and they get more
money for their results. Thats the A in APT. :)


There are problems with handling of DBUS_SYSTEM_BUS_ADDRESS environment
variable in both libdbus and glib/libgio when used in a privileged
(setuid or setgid) application.

libdbus is currently tracked via CVE-2012-3524, with two known attack
variants:
- unixexec:, which is only supported in recent dbus versions (1.5+ from
  what I can see)
- autolaunch: combined with malicious PATH setting, leading to
  execution of the attacker's dbus-launch.  This affects pre-1.5 dbus
  versions too.

Ok, there is also 'nonce-tcp' which you could use to dump (parts of) secret files.
There is also the option to use a UNIX socket that you dont have write permission
to, writing semi-garbage to it (with root peer credentials), maybe triggering
actions in daemons that are 'unexpected'.



libgio got CVE-2012-4425:
- autolaunch: or empty address, combined with PATH setting, similar to
  the second libdbus variant

Yes, but I didnt check libgio explicitely. There might be other issues lurking inside
libgio.

Sebastian


-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer () suse de - SuSE Security Team


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault