Polkit authentification can be bypassed

Bug #764397 reported by Romain Perier on 2011-04-18
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
language-selector (Ubuntu)
High
Unassigned
Maverick
High
Martin Pitt
Natty
High
Unassigned

Bug Description

Binary package hint: language-selector

Hello,

The actual polkit authentification in the language-selector dbus backend can be easily bypassed.
Steps to reproduce:
1) download ls-dbus-polkit-bypass.py
2) from a terminal ./ls-dbus-polkit-bypass.py de_DE.UTF-8
3) when the polkit agent ask you the password just click "cancel"
3) log you from tty1
4) exec "locale"

LANG has been changed anyway, it should don't... (a root function has been executed bypassing system policy)
Also, SetSystemDefaultLanguageEnv and SetSystemDefaultLangEnv do not check input arguments, so we can perform code injection in root !

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: language-selector (not installed)
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic 2.6.38.2
Uname: Linux 2.6.38-8-generic x86_64
Architecture: amd64
Date: Mon Apr 18 11:20:58 2011
InstallationMedia: Kubuntu 11.04 "Natty Narwhal" - Alpha amd64 (20110202)
ProcEnviron:
 LANGUAGE=fr_FR
 LANG=fr_FR.UTF-8
 LC_MESSAGES=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: language-selector
UpgradeStatus: No upgrade log present (probably fresh install)

Romain Perier (rperier) wrote :
Romain Perier (rperier) wrote :

This patch should fix the authorization bypass

Romain Perier (rperier) wrote :

A possible fix for the code injection would be : check if sysLang and sysLanguage are found in the language list (see "data" directory), if they are not found the method could throw an error...

Felix Geyer (debfx) wrote :

This affects maverick and natty. language-selector in <= lucid doesn't use policykit.

I don't think it's easily possible to verify if the language is installed on the system (for example LANGUAGE can contain multiple ":" seperated languages).
Instead it should only make sure that one cannot inject shell commands.
This regex should do that: ^[\w\.\-@:]+$

Felix Geyer (debfx) wrote :

To test the patch you can call:
dbus-send --system --print-reply --dest=com.ubuntu.LanguageSelector / com.ubuntu.LanguageSelector.SetSystemDefaultLanguageEnv string:"abc\" EVIL_COMMAND && true \"xyz"

The old version writes LANGUAGE="abc" EVIL_COMMAND && true "xyz" to /etc/default/locale even when canceling the auth dialog.
The patched one always returns false.

Changed in language-selector (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-11.04
Martin Pitt (pitti) on 2011-04-19
Changed in language-selector (Ubuntu Natty):
status: New → Triaged
Changed in language-selector (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → High
Martin Pitt (pitti) wrote :

Thanks for the patch! I confirm that these are the only two places where this is used.

Security team, do you want a coordinated disclosure for this once the maverick and natty patches are ready, or can we fix this in natty now and make this bug public?

Martin Pitt (pitti) wrote :

I also updated Felix' patch a bit and applied it as well.

Both fixes are sitting in the natty bzr branch on my local machine now, but I didn't push yet as this bug is still private.

Changed in language-selector (Ubuntu Natty):
status: Triaged → Fix Committed
Martin Pitt (pitti) wrote :

I now also prepared a maverick branch with the backported fixes (also not pushed to LP yet).

Changed in language-selector (Ubuntu Maverick):
assignee: nobody → Martin Pitt (pitti)
status: Triaged → Fix Committed
Marc Deslauriers (mdeslaur) wrote :

@Martin, I can push this for Maverick today. Could you attach your updated patch for Maverick?

Also, I assume this only affects Ubuntu, and doesn't need coordination with any other distro?

Martin Pitt (pitti) wrote :

This is the maverick debdiff.

Some downstream derivatives of Ubuntu might use that (Mint, etc.?). Debian, Fedora, SUSE don't use it.

Jamie said that we should wait with this until Kees assigns a CVE, as it's originating from Ubuntu.

Kees Cook (kees) wrote :

CVE-2011-0729

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package language-selector - 0.6.7

---------------
language-selector (0.6.7) maverick-security; urgency=low

  [ Kees Cook ]
  * SECURITY UPDATE: language selector backend did not verify policy kit
    authentication.
    - debian/language-selector-common.postinst: shut down old backend.
    - CVE-2011-0729

  [ Martin Pitt ]
  * dbus_backend/ls-dbus-backend: Actually look at the PolicyKit check result
    and only proceed if it succeeded. Thanks to Romain Perier for finding this
    and providing the patch! This fixes a local root privilege escalation, as
    this allows any authenticated user to write arbitrary shell commands into
    /etc/default/locale. (LP: #764397)
  * dbus_backend/ls-dbus-backend: Reject locale names with invalid characters
    in it, to further prevent injecting shell code into /etc/default/locale
    for authenticated users. Thanks to Felix Geyer for the initial patch!
    (LP: #764397)
  * debian/control: Update Vcs-Bzr: for newly created maverick branch.
 -- Kees Cook <email address hidden> Tue, 19 Apr 2011 10:31:37 -0700

Changed in language-selector (Ubuntu Maverick):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2011-04-19
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package language-selector - 0.33

---------------
language-selector (0.33) natty; urgency=low

  * dbus_backend/ls-dbus-backend: Actually look at the PolicyKit check result
    and only proceed if it succeeded. Thanks to Romain Perier for finding this
    and providing the patch! This fixes a local root privilege escalation, as
    this allows any authenticated user to write arbitrary shell commands into
    /etc/default/locale. (LP: #764397) [CVE-2011-0729]
  * dbus_backend/ls-dbus-backend: Reject locale names with invalid characters
    in it, to further prevent injecting shell code into /etc/default/locale
    for authenticated users. Thanks to Felix Geyer for the initial patch!
    (LP: #764397)
  * dbus_backend/com.ubuntu.LanguageSelector.conf: Allow access to standard
    D-BUS introspection and properties interfaces. There's no reason to deny
    it, and it causes warnings.
  * debian/language-selector-common.postinst: Stop running D-BUS backend on
    upgrade.
 -- Martin Pitt <email address hidden> Tue, 19 Apr 2011 20:20:44 +0200

Changed in language-selector (Ubuntu Natty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers