Arbitrary file disclosure via MITM of twitter feed

Bug #991982 reported by Marc Deslauriers on 2012-04-30
280
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ubiquity-slideshow-ubuntu (Ubuntu)
Critical
Stéphane Graber
Precise
Critical
Stéphane Graber
Quantal
Critical
Stéphane Graber

Bug Description

Received via <email address hidden>:

Hi security team,

I discovered a security vulnerability in the Ubuntu Desktop 12.04
installer. I have attached a detailed description of the vulnerability,
along with an example of how it can be exploited by a remote attacker.

I have not disclosed these details to any other parties. Please keep me
updated with progress!

Cheers,
Paul.

Also see pdf attachment for more details.

Marc Deslauriers (mdeslaur) wrote :
Marc Deslauriers (mdeslaur) wrote :

Evan,

Could you take a look at this and confirm the vulnerability, and see where this should get fixed?

Thanks.

Marc Deslauriers (mdeslaur) wrote :

Paul Mutton is the reporter of this issue.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubiquity (Ubuntu):
status: New → Confirmed
Changed in ubiquity-slideshow-ubuntu (Ubuntu):
status: New → Confirmed
Dylan McCall (dylanmccall) wrote :

Ack!
Thanks very much for noticing this and reporting it so thoroughly, Paul.

I'm attaching a fix that applies to the slideshow. Doing it as a patch, because I'm not sure how branches work with private bug reports. This receives from twitter.com using https, and it encodes any URIs it receives using the appropriate functions. With this patch, Paul's attack (if it got around https) would generate a link like this:

<a class="twitter-url" href="javascript:alert(document.body.innerHTML)%22%20onmouseover=%22%20xmlhttp%20=%20new%20XMLHttpRequest();%20xmlhttp.onreadystatechange%20=%20function()%20%7B%20if%20(xmlhttp.readyState%20==%204)%20%7B%20alert('XSSed!%20...%20'%20+%20xmlhttp.responseText);%20%7D%20%7D;%20xmlhttp.open('GET',%20'file:///target/etc/passwd',%20true);%20xmlhttp.send(null);%20%22%20style=%22z-index:100;position:absolute;top:0px;left:0px;width:100%25;height:100%25;">buzz.mw/_uuI1j</a>

That is, it wouldn't link anywhere.

Marc Deslauriers (mdeslaur) wrote :

Thanks for the patch Dylan.

We need to figure out the best way to handle this. Since the ubiquity-slideshow-ubuntu package is bundled on the install cd, pushing out an updated ubiquity-slideshow-ubuntu package won't actually fix the issue during installation, but would make attackers aware of the issue.

This would need to wait until we release the 12.04.1 cd respin.

Changed in ubiquity-slideshow-ubuntu (Ubuntu):
milestone: none → ubuntu-12.04.1
Changed in ubiquity-slideshow-ubuntu (Ubuntu):
assignee: nobody → Stéphane Graber (stgraber)
importance: Undecided → Critical
status: Confirmed → Triaged
no longer affects: ubiquity (Ubuntu)
no longer affects: ubiquity-slideshow-ubuntu (Ubuntu Oneiric)
Changed in ubiquity-slideshow-ubuntu (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Stéphane Graber (stgraber)
milestone: none → ubuntu-12.04.1
Changed in ubiquity-slideshow-ubuntu (Ubuntu Quantal):
milestone: ubuntu-12.04.1 → ubuntu-12.10-beta-1
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2012-0956

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity-slideshow-ubuntu - 59

---------------
ubiquity-slideshow-ubuntu (59) quantal; urgency=low

  [ Julien Lavergne ]
  * All: Update version to 12.10.
  * Lubuntu: Replacing Synaptic by Lubuntu-Software-Center (LP: #958880)
  * Lubuntu: Change the link to the mailing list

  [ Harald Sitter ]
  * Kubuntu: Remove reference to commercial support from Canonical

  [ Dylan McCall ]
  * Support slideshow customization with ubiquity-slideshow/extra folder
    (LP: #1035806)
  * Changed build script to use some Python internally.
  * New, tidier format for build directory.
  * Always access twitter over https and properly encode URLs received from
    the twitter feed. (LP: #991982)
  * CVE-2012-0956

  [ Stéphane Graber ]
  * Refresh translations from Launchpad
 -- Stephane Graber <email address hidden> Wed, 15 Aug 2012 12:41:27 -0400

Changed in ubiquity-slideshow-ubuntu (Ubuntu Quantal):
status: Triaged → Fix Released
Marc Deslauriers (mdeslaur) wrote :

After testing the fix in this bug, it doesn't appear to be enough to solve the issue. The ssl cert is not being checked, which means a MITM can still alter the contents of the twitter feed.

Since the twitter feed can be altered, it is likely that javascript can still be injected in other fields of the feed.

Marc Deslauriers (mdeslaur) wrote :

Also, this is being downloaded and interpreted by a browser engine that shipped on the media, and didn't get any security updates.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity-slideshow-ubuntu - 58.2

---------------
ubiquity-slideshow-ubuntu (58.2) precise-security; urgency=low

  * Previous fix still allows for https MITM by not checking the SSL
    certificate. So turn off twitter completely for now. (LP: #991982)
    CVE-2012-0956

ubiquity-slideshow-ubuntu (58.1) precise-security; urgency=low

  [ Dylan McCall ]
  * Always access twitter over https and properly encode URLs received from
    the twitter feed. (LP: #991982)
  * CVE-2012-0956

  [ Stéphane Graber ]
  * Refresh translations from Launchpad
 -- Stephane Graber <email address hidden> Wed, 15 Aug 2012 15:50:32 -0400

Changed in ubiquity-slideshow-ubuntu (Ubuntu Precise):
status: Triaged → Fix Released
Dylan McCall (dylanmccall) wrote :

Sorry if I'm being thick: checking the SSL cert is in WebkitGtk or Ubiquity's turf, right? Some poking around tells me WebkitGtk indeed does not seem to be doing this the way I was expecting it would. If so, yes, I agree whole-heartedly with pulling this out for the time being. Any support code in Ubiquity (I guess like was added to Software Centre with bug #874242) would need to be in place well in advance.

We're using jsonp here, anyway, so we're in trouble as soon as the browser executes the replaced script. (That said, were that solved, I'd be happy to take the steps needed to guarantee that everything written to the document is properly escaped).

Thanks for looking after this, Stéphane.

Dylan McCall (dylanmccall) wrote :

Okay, SSL should be fixed in the latest reference implementation for the install slideshow, so that code would just need to be copied over to Ubiquity for 12.10.

Here is the commit: http://bazaar.launchpad.net/~ubiquity-slideshow/ubiquity-slideshow-ubuntu/html/revision/480

On Thu, Aug 16, 2012 at 7:01 AM, Dylan McCall <email address hidden> wrote:
> Okay, SSL should be fixed in the latest reference implementation for the
> install slideshow, so that code would just need to be copied over to
> Ubiquity for 12.10.
>
> Here is the commit: http://bazaar.launchpad.net/~ubiquity-slideshow
> /ubiquity-slideshow-ubuntu/html/revision/480

Given that this is a security vulnerability, you may be able to
convince the release team to get this into 12.04.1 if you move
quickly, or failing that, 12.04.2.

Thanks Dylan

Marc Deslauriers (mdeslaur) wrote :

While I think the twitter feed in the slideshow is pretty cool, the fact is having this on media we can't change is problematic. The webkit engine that is being used to display the twitter feed gets around 20 security fixes every single month. As soon as one of those issues makes the twitter feed susceptible to being used as a way to systematically alter Ubuntu during installation, our installation media becomes useless and we need to re-spin a new one.

Once we publicize the fact that the twitter feed needed a security fix, I suspect it will start getting poked at by security researchers for the simple reason that fixing it requires issuing a whole new disc image.

If we really want to have this in the installer, I believe we need to rethink the way it is being done to have it use a server that is under our control and has a kill switch function.

visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers