[Pkg-utopia-maintainers] Bug#689070: Please take upstream D-Bus patches for CVE-2012-3524

Simon McVittie smcv at debian.org
Sat Sep 29 15:58:55 UTC 2012 

On 28/09/12 22:30, Geoffrey Thomas wrote:
> CVE-2012-3524 is about setuid binaries linking libdbus being easily
> trickable to do bad things via a malicious PATH (for finding
> dbus-launch), or through a DBUS_* address variable using the unixexec
> address type.

Potentially-vulnerable binaries are anything that is setuid and links
either libdbus-1.so.3 (CVE-2012-3524), directly or via e.g.
libpam-systemd or libhal, or libgio-2.0.so.0 >= 2.26 (CVE-2012-4425).
squeeze's libgio-2.0 is too old to be vulnerable to this anyway (it
doesn't have a D-Bus implementation).

I consider patching the libraries to be defence-in-depth, rather than a
real solution: the real solution is for setuid binaries to clear their
caller-supplied environments before they call into non-trivial
libraries. Nevertheless, patching libdbus is the most expedient way to
become less exploitable.

Security team: do you want to handle this for squeeze as a security
update, or a normal stable update? I attach a proposed debdiff;
s/stable/stable-security/ if desired.

The "unixexec" attack vector for arbitrary code execution doesn't work
for squeeze, because that feature is too new. I believe the dbus-launch
attack vector for arbitrary code execution only works if you have
libdbus-1-3 and a vulnerable setuid binary that links it, but not
dbus-x11. There are also some less severe attack vectors involving
revealing part of a normally-unreadable file via the nonce-tcp
transport, or sending the beginning of a D-Bus handshake to a
normally-unavailable Unix socket; these will work in squeeze too.

The specific binaries I'm aware of that are likely to be vulnerable in
squeeze are:

* Xorg when linked to libhal and run via /usr/bin/X (only on non-Linux,
  because it isn't linked to libdbus any more on Linux; unconfirmed)

and in wheezy:

* Xorg on non-Linux, as in squeeze
* su with libpam-systemd (unconfirmed but likely)
* sudo with libpam-systemd (unconfirmed; might be unaffected,
  since it's pretty careful with its environment)
* spice-gtk (confirmed to be vulnerable to CVE-2012-4425,
  I opened #689155)

I haven't done a whole-archive scan or anything, though.

For sid, CVE-2012-3524 is fixed by dbus/1.6.8-1.

For wheezy, it will be fixed in 1.6.8-1 if the release team let it
migrate, and/or 1.6.0-2 (not yet uploaded) if they want to go via t-p-u.
See #689148 for the release-team interaction.

To help with testing, I attach a relatively harmless version of an
exploit for this vulnerability: it creates a vulnerable setuid-nobody
binary, and tries to use it to "escalate" privileges from the real user
to nobody. It requires sudo privileges to chown/chmod the vulnerable
binary, but does not use them for the actual exploit.

The good result is if you get syslog messages like this:

Sep 29 16:27:24 archetype cve-2012-3524: begin
Sep 29 16:27:24 archetype cve-2012-3524: end

A bad result looks more like this:

cve-2012-3524: begin
evil-dbus-launch-substitute: uid=1000(smcv) gid=1000(smcv)
euid=65534(nobody) ...
cve-2012-3524: end

(you'll get up to two evil-dbus-launch-substitute lines, depending which
version(s) of the attack worked).

Regards,
    S
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dbus_1.2.24-4+squeeze2_proposed.diff
Type: text/x-patch
Size: 16112 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20120929/adb0108c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cve-2012-3524.sh
Type: application/x-shellscript
Size: 1140 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-utopia-maintainers/attachments/20120929/adb0108c/attachment-0001.bin>

More information about the Pkg-utopia-maintainers mailing list