SImulate dbus method doesn't require authentication

Bug #1449587 reported by Marc Deslauriers on 2015-04-28
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aptdaemon (Ubuntu)
Critical
Michael Vogt

Bug Description

Reported via email from Tavis Ormandy:

-----

$ dbus-send --print-reply --system --dest=org.debian.apt
/org/debian/apt org.debian.apt.InstallFile string:/root/.bashrc
boolean:false
method return sender=:1.13166 -> dest=:1.13182 reply_serial=2
   string "/org/debian/apt/transaction/1804d9c8373b4a00a905b029ca18ce13"
$ dbus-send --print-reply --system --dest=org.debian.apt
/org/debian/apt/transaction/1804d9c8373b4a00a905b029ca18ce13
org.debian.apt.transaction.Simulate
Error org.debian.apt.TransactionFailed: error-invalid-package-file:
Lintian check results for /root/.bashrc:
warning: "/root/.bashrc" cannot be processed.

$ dbus-send --print-reply --system --dest=org.debian.apt
/org/debian/apt org.debian.apt.InstallFile string:/root/.bashrca
boolean:false
method return sender=:1.13166 -> dest=:1.13184 reply_serial=2
   string "/org/debian/apt/transaction/1a723099a3bb446c848dfcc46d0f5430"
$ dbus-send --print-reply --system --dest=org.debian.apt
/org/debian/apt/transaction/1a723099a3bb446c848dfcc46d0f5430
org.debian.apt.transaction.Simulate
Error org.debian.apt.TransactionFailed: error-unreadable-package-file:
/root/.bashrca

----

(mdeslaur): Not only does this expose the existence of arbitrary files, but it actually access them and processes untrusted packages.

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1323

Michael Vogt (mvo) on 2015-04-28
Changed in aptdaemon (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
Changed in aptdaemon (Ubuntu):
assignee: nobody → Michael Vogt (mvo)
Michael Vogt (mvo) wrote :

Sorry that this has still not been done :( I will be on vac next week so it might be delayed even more. I will try to get to it tonight.

Marc Deslauriers (mdeslaur) wrote :

Is there any progress on this Michael?

Michael Vogt (mvo) on 2015-05-27
Changed in aptdaemon (Ubuntu):
status: Triaged → In Progress
Michael Vogt (mvo) wrote :

This might be sufficient, its a bit ugly right now, should become a context manager:
with os.seteuid(trans.uid):
    ...
But should fix the issue that install-file can be used as a information leak.

Seth Arnold (seth-arnold) wrote :

I believe the improved patch just converts the issue into a race condition; the lintian run itself should probably also run with the privileges of the user that requested the simulation, no?

Thanks

Michael Vogt (mvo) wrote :

Thanks Seth for the review. The lintian code itself runs now as the user too (it was doing that before too but the getgroup/setgroups were missing :( Feedback/review very welcome.

Michael Vogt (mvo) wrote :

If the latest incarnation of the patch looks ok I will prepare debdiffs for aptdaemon.

Seth Arnold (seth-arnold) wrote :

Michael, I believe these patches address the issue; it seems ready to me to put together debdiffs for publishing.

However, I'm a little concerned about the get_uid_from_dbus_name() and related calls in aptdaemon/policykit1.py -- using pids alone to identify a process is racy. Pids plus spawn times are stable. Our auditing guide recommends using polkit_unix_process_new_for_owner() -- any idea if that's amenable to this file?

policykit1.py get_proc_info_from_dbus_name() also makes the assumption that process command lines can be parsed as utf--8. How dire is the result of this routine crashing? I suspect it'll just be an inconvenience to the user, but I thought I should ask while we're here looking at it.

Thanks

Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :

@Seth thanks for the review and the suggestions. I will look into this if polkit_unix_process_new_for_owner() can be used.

The backport for trusty and precise is also a bit more difficult due to source layout changes, I need to look into that next.

Michael Vogt (mvo) wrote :
Michael Vogt (mvo) wrote :
Marc Deslauriers (mdeslaur) wrote :

Hi Michael,

What's the status on these debdiffs?
Are they good to go, or do I simply need to add the missing py2 test to them?

Michael Vogt (mvo) wrote :

Hi Marc,

I think the diffs are good to go but I would love to do a final regression test once this is build in a private PPA. Is it possible for me to get access to a private PPA so that I can do a end-to-end test before this gets published? Or will you do this anyway (a final test that regular package still install via e.g. software-center and that regular locally debs can be viewed/installed via the normal software-center).

Marc Deslauriers (mdeslaur) wrote :

I have successfully tested the proposed debdiffs.

I will publish updates for this issue on 2015-06-16 17:00:00 UTC

Thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 1.1.1+bzr980-0ubuntu1.1

---------------
aptdaemon (1.1.1+bzr980-0ubuntu1.1) utopic-security; urgency=low

  * SECURITY UPDATE: information disclosure via simulate dbus method
    (LP: #1449587)
    - debian/patches/lp1449587.diff: drop privileges when running lintian,
      update tests.
    - CVE-2015-1323

 -- Michael Vogt <email address hidden> Fri, 29 May 2015 19:03:05 +0200

Changed in aptdaemon (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 0.43+bzr805-0ubuntu10

---------------
aptdaemon (0.43+bzr805-0ubuntu10) precise-security; urgency=low

  * SECURITY UPDATE: information disclosure via simulate dbus method
    (LP: #1449587)
    - debian/patches/lp1449587.diff: drop privileges when running lintian,
      update tests.
    - CVE-2015-1323

 -- Michael Vogt <email address hidden> Tue, 02 Jun 2015 09:01:58 +0200

Changed in aptdaemon (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package aptdaemon - 1.1.1+bzr982-0ubuntu3.1

---------------
aptdaemon (1.1.1+bzr982-0ubuntu3.1) vivid-security; urgency=low

  * SECURITY UPDATE: information disclosure via simulate dbus method
    (LP: #1449587)
    - debian/patches/lp1449587.diff: drop privileges when running lintian,
      update tests.
    - CVE-2015-1323

 -- Michael Vogt <email address hidden> Fri, 29 May 2015 19:00:31 +0200

Changed in aptdaemon (Ubuntu):
status: In Progress → Fix Released
information type: Private Security → Public Security
tags: added: patch
no longer affects: software-center-aptdaemon-plugins (Ubuntu)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers