wicd

dbus config in 1.5.x has a hole

Bug #325797 reported by Robby Workman on 2009-02-05

260

Affects		Status	Importance	Assigned to	Milestone
	wicd	Fix Released	Critical	Dan O'Reilly

Bug Description

Reported by Tiziano Mueller of the Gentoo team (dev-zero on freenode IRC) and relayed to me by Jeremy Olexa (darkside_).

08:48 <@darkside_> dev-zero: yes?
08:50 <@dev-zero> darkside_: I'm not sure yet, but there might be a security issue in wicd
08:50 <@dev-zero> darkside_: in it's dbus permission configuration to be precise
08:51 <@darkside_> dev-zero: ok, i'd appreciate your analysis. upstream already looked at the issue iirc
08:51 <@dev-zero> darkside_: there's a line "<allow own="org.wicd.daemon"/>" in the default-policy-context
08:52 <@dev-zero> darkside_: which - if I'm right - allows everyone to provide an interface-object org.wicd-daemon
08:52 <@darkside_> dev-zero: bbl, work stuff
08:53 <@dev-zero> darkside_: so, if either the daemon doesn't start, a local user is able to crash the deamon, etc. that local user can start an alternative daemon and sniff the passwords a user enters to connect to a network
08:54 <@dev-zero> darkside_: and since every user can connect to the daemon, the evil user can also get an up-to-date list of available networks before crashing the daemon
09:06 <@darkside_> dev-0: thx, will pass it along here.

The attached patch should fix the issue. I've got a local bzr branch with the patch in it, but I don't want to push it publicly. I've tested it here and wicd still seems to work fine.

Tags:

CVE References

2009-0489

Revision history for this message

Robby Workman (rworkman) wrote on 2009-02-05:

Proposed fix Edit (1.3 KiB, text/plain)

Dan O'Reilly (oreilldf) on 2009-02-05

Changed in wicd:
importance:	Undecided → Critical
status:	New → Confirmed

Revision history for this message

Robby Workman (rworkman) wrote on 2009-02-05:

Once this is fixed and 1.5.9 is out, here's what I'm proposing to send to the CVE folks - does this look okay?

Subject : CVE Request - Wicd <= 1.5.8

In Wicd <=1.5.8, the dbus configuration file's default context
allows any user to own the org.wicd.daemon object, thus potentially
allowing a user receive messages intended for the wicd daemon.
These messages could include, among other things, credentials for
secure networks.

Typically, Wicd is used on single-user systems (such as laptops),
and is started early in the boot process, so unless the daemon
crashes or is stopped for some other reason, leveraging this would
not be trivial for a malicious user, unless I'm missing something.

This is fixed in the Wicd-1.5.9 release, and is not present at all
in the development branch leading to 1.6.0.

The bug was discovered by Tiziano Mueller of the Gentoo team; thanks
to him for the report, analysis, and follow-up discussion.

Revision history for this message

Dan O'Reilly (oreilldf) wrote on 2009-02-06:

Looks ok to me.

Changed in wicd:
assignee:	nobody → oreilldf
status:	Confirmed → Fix Committed

Revision history for this message

Robby Workman (rworkman) wrote on 2009-02-06:

Fixed in 1.5.9, released 20090206.

Changed in wicd:
status:	Fix Committed → Fix Released

Revision history for this message

Robby Workman (rworkman) wrote on 2009-02-10:

I can't link this via the standard means yet, as the CVE is still in "candidate" stage. For the record though, here's the link: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0489

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Proposed fix Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.