com.canonical.NMOfono.ReadImsiContexts privilege escalation

Bug #1449245 reported by Seth Arnold on 2015-04-27
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Undecided
Marc Deslauriers
Trusty
Undecided
Marc Deslauriers
Utopic
Undecided
Marc Deslauriers
Vivid
Undecided
Marc Deslauriers

Bug Description

Tavis Ormandy reports the following:

Apparently you're not happy with me for discussing local privilege
escalation on oss-security, so as you requested, here's what appears
to be a problem in Ubuntu-specific code.

I thought I'd take a quick look at D-Bus services you add in Ubuntu
after the usb-creator bug, this one jumps out at me as incorrect:

http://bazaar.launchpad.net/~phablet-team/network-manager/ofono-format-cleanup/view/head:/debian/patches/add_ofono
_settings_support.patch#L718

Untested, but that really looks like you can call
com.canonical.NMOfono.ReadImsiContexts(imsi:"../../../tmp/whatever"),
and supply one of those glib keyfiles (i guess you just need to call
it "gprs")?

Tavis.

CVE References

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1322

Looks like there may indeed be a way to use this to read a properly formatted ini file meant to be read only by root. My understanding is that otherwise g_key_file_load_from_file will "simply" fail to parse the ini file, with whatever other implications that entails. NM would then be tricked into logging this data in syslog.

I think it's also not required at this time to be root to call that DBus method:
+ <policy context="default">
+ <deny own="com.canonical.NMOfono"/>
+ <allow send_destination="com.canonical.NMOfono"/>
+ </policy>
... Which is something that should be tested and changed if possible.

Here is a proposed fix.

It was brought to my attention this was missing setting error when returning FALSE; as per the usual GLib standards. Attached is another version of the same patch.

Changed in network-manager (Ubuntu Trusty):
status: New → Confirmed
Changed in network-manager (Ubuntu Utopic):
status: New → Confirmed
Changed in network-manager (Ubuntu Vivid):
status: New → Confirmed
Changed in network-manager (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in network-manager (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in network-manager (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.9.8.8-0ubuntu28.1

---------------
network-manager (0.9.8.8-0ubuntu28.1) utopic-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue resulting in connection
    modification and possible arbitrary file disclosure (LP: #1449245)
    - debian/patches/CVE-2015-1322.patch: strip slashes from filename
      in src/settings/plugins/ofono/plugin.c.
    - CVE-2015-1322

 -- Marc Deslauriers <email address hidden> Tue, 28 Apr 2015 07:10:22 -0400

Changed in network-manager (Ubuntu Utopic):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.9.8.8-0ubuntu7.1

---------------
network-manager (0.9.8.8-0ubuntu7.1) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue resulting in connection
    modification and possible arbitrary file disclosure (LP: #1449245)
    - debian/patches/CVE-2015-1322.patch: strip slashes from filename
      in src/settings/plugins/ofono/plugin.c.
    - CVE-2015-1322

 -- Marc Deslauriers <email address hidden> Tue, 28 Apr 2015 07:11:22 -0400

Changed in network-manager (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.9.10.0-4ubuntu15.1

---------------
network-manager (0.9.10.0-4ubuntu15.1) vivid-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue resulting in connection
    modification and possible arbitrary file disclosure (LP: #1449245)
    - debian/patches/CVE-2015-1322.patch: strip slashes from filename
      in src/settings/plugins/ofono/plugin.c.
    - CVE-2015-1322

 -- Marc Deslauriers <email address hidden> Tue, 28 Apr 2015 07:06:00 -0400

Changed in network-manager (Ubuntu Vivid):
status: Confirmed → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers