2011-11-23 00:21:14 |
Tyler Hicks |
bug |
|
|
added bug |
2011-11-23 00:21:36 |
Tyler Hicks |
acpi-support (Ubuntu): status |
New |
Triaged |
|
2011-11-23 00:21:39 |
Tyler Hicks |
acpi-support (Ubuntu): importance |
Undecided |
Medium |
|
2011-11-23 00:21:41 |
Tyler Hicks |
acpi-support (Ubuntu): assignee |
|
Tyler Hicks (tyhicks) |
|
2011-11-23 00:50:32 |
Tyler Hicks |
affects |
acpi-support (Ubuntu) |
acpid (Ubuntu) |
|
2011-11-28 15:57:46 |
Tyler Hicks |
bug |
|
|
added subscriber otr |
2011-11-29 23:26:25 |
Tyler Hicks |
attachment added |
|
893821-powerbtn.patch https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821/+attachment/2613026/+files/893821-powerbtn.patch |
|
2011-11-30 20:47:50 |
Tyler Hicks |
description |
Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh that could allow a malicious user to execute arbitrary code as the user that is logged into the current X session. The prerequisites for the attack are as follows:
1.) The attacker must be able to run a malicious application on the system. This may not be a mitigating factor on a multi-user system with a malicious user.
2.) gnome-settings-daemon, kpowersave, xfce4-power-manager, guidance-power-manager.py, or dalston-power-applet cannot be running. Note that while one of these programs may be configured to run automatically, it is possible that known denial of service attacks may exist.
3.) powerbtn.sh must be triggered. This may happen by pressing a power button in a bare-metal installation or by virsh shutdown in a virtualized environment.
Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:
su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus org.kde.kded"
A malicious user may be running a "fake" kded4 binary which has a malicious DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject shell commands that would be expanded as $XUSER. This opens up the possibility of the attacker running code as $XUSER. |
Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
that could allow an attacker to execute arbitrary code as the user that
is logged into the current X session. The prerequisites for the attack
are as follows:
1.) The attacker must be able to run an application on the system.
2.) A power management daemon cannot be running. See $PMS in
powerbtn.sh for the list of known daemons.
3.) powerbtn.sh must be triggered. This may happen by pressing a power
button in a bare-metal installation or by virsh shutdown in a
virtualized environment.
Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:
su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
org.kde.kded"
The attacker may be running a "fake" kded4 binary which has a malicious
DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
shell commands that would be expanded as $XUSER. This opens up the
possibility of the attacker running code as $XUSER. The prerequisites
listed above must be met in order for the vulnerable code to be
exploited. |
|
2011-11-30 21:13:02 |
Tyler Hicks |
description |
Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
that could allow an attacker to execute arbitrary code as the user that
is logged into the current X session. The prerequisites for the attack
are as follows:
1.) The attacker must be able to run an application on the system.
2.) A power management daemon cannot be running. See $PMS in
powerbtn.sh for the list of known daemons.
3.) powerbtn.sh must be triggered. This may happen by pressing a power
button in a bare-metal installation or by virsh shutdown in a
virtualized environment.
Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:
su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
org.kde.kded"
The attacker may be running a "fake" kded4 binary which has a malicious
DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
shell commands that would be expanded as $XUSER. This opens up the
possibility of the attacker running code as $XUSER. The prerequisites
listed above must be met in order for the vulnerable code to be
exploited. |
Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
that could allow an attacker to execute arbitrary code as the user that
is logged into the current X session. The prerequisites for the attack
are as follows:
1.) The attacker must be able to run an application on the system.
2.) A power management daemon cannot be running. See $PMS in
powerbtn.sh for the list of known daemons.
3.) powerbtn.sh must be triggered. This may happen by pressing a power
button in a bare-metal installation or by virsh shutdown in a
virtualized environment.
Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:
su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
org.kde.kded"
$(pidof kded4) returns the pid of any process(es) named kded4. Due to command
expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the
environ of any process, owned by any user, to be successfully read.
The attacker may be running a "fake" kded4 binary which has a malicious
DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
shell commands that would be expanded as $XUSER. This opens up the
possibility of the attacker running code as $XUSER. The prerequisites
listed above must be met in order for the vulnerable code to be
exploited. |
|
2011-12-08 19:08:23 |
Tyler Hicks |
cve linked |
|
2011-2777 |
|
2011-12-08 19:10:21 |
Tyler Hicks |
attachment added |
|
893821-powerbtn.patch https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821/+attachment/2624920/+files/893821-powerbtn.patch |
|
2011-12-08 19:11:02 |
Tyler Hicks |
attachment removed |
893821-powerbtn.patch https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821/+attachment/2613026/+files/893821-powerbtn.patch |
|
|
2011-12-08 22:04:00 |
Launchpad Janitor |
acpid (Ubuntu): status |
Triaged |
Fix Released |
|
2011-12-08 22:04:00 |
Launchpad Janitor |
cve linked |
|
2011-4578 |
|
2011-12-08 22:14:25 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/acpid |
|
2011-12-08 23:15:27 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/maverick-security/acpid |
|
2011-12-08 23:15:30 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/natty-security/acpid |
|
2011-12-08 23:15:31 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/oneiric-security/acpid |
|
2011-12-08 23:19:26 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-security/acpid |
|
2011-12-08 23:47:55 |
Tyler Hicks |
cve unlinked |
2011-4578 |
|
|
2011-12-08 23:50:09 |
Tyler Hicks |
visibility |
private |
public |
|
2011-12-09 00:09:26 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/lucid-updates/acpid |
|
2011-12-09 00:09:31 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/maverick-updates/acpid |
|
2012-03-04 04:57:33 |
Heby Joseph |
bug task added |
|
acpid |
|
2015-07-24 06:01:52 |
Ron Karoles |
description |
Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
that could allow an attacker to execute arbitrary code as the user that
is logged into the current X session. The prerequisites for the attack
are as follows:
1.) The attacker must be able to run an application on the system.
2.) A power management daemon cannot be running. See $PMS in
powerbtn.sh for the list of known daemons.
3.) powerbtn.sh must be triggered. This may happen by pressing a power
button in a bare-metal installation or by virsh shutdown in a
virtualized environment.
Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:
su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
org.kde.kded"
$(pidof kded4) returns the pid of any process(es) named kded4. Due to command
expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the
environ of any process, owned by any user, to be successfully read.
The attacker may be running a "fake" kded4 binary which has a malicious
DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
shell commands that would be expanded as $XUSER. This opens up the
possibility of the attacker running code as $XUSER. The prerequisites
listed above must be met in order for the vulnerable code to be
exploited. |
Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
that could allow an attacker to execute arbitrary code as the user that
is logged into the current X session. The prerequisites for the attack
are as follows:
1.) The attacker must be able to run an application on the system.
2.) A power management daemon cannot be running. See $PMS in
powerbtn.sh for the list of known daemons.
3.) powerbtn.sh must be triggered. This may happen by pressing a power
button in a bare-metal installation or by virsh shutdown in a
virtualized environment.
Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:
su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
org.kde.kded"
$(pidof kded4) returns the pid of any process(es) named kded4. Due to command
expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the
environ of any process, owned by any user, to be successfully read.
The attacker may be running a "fake" kded4 binary which has a malicious
DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
shell commands that would be expanded as $XUSER. This opens up the
possibility of the attacker running code as $XUSER. The prerequisites
listed above must be met in order for the vulnerable code to be
exploited. |
|