search

ubports / ubuntu-touch

Ubuntu Touch's issue inbox is now migrated to GitLab.
https://gitlab.com/ubports/ubuntu-touch
1.28k stars 110 forks source link

CVE-2022-40297 #2057

Open ivoxavier opened 2 years ago

ivoxavier commented 2 years ago

On a random navigation through cve's spotted this one.

Logfiles and additional information

https://github.com/filipkarc/PoC-ubuntutouch-pin-privesc https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40297

ilustration

Image retreived from the owner repo

dobey commented 2 years ago

There are several problems with this:

1) There was absolutely no consideration of responsible disclosure or discussion with UT devs in private, and the person just posted on Twitter that one could do this (note that one can also do similar attacks on most any system). 2) This doesn't deserve a CVE, and the person "demonstrating" this is obviously ignoring existing measures in place which already prevent the issue. 3) As part of said measures, in order to do anything in Terminal app, one must enter their PIN or password anyway. 4) Additionally, random apps from the store can't simply execute sudo as such. The app must be using the unconfined apparmor profile, which Terminal does, and for which the Open Store requires manual review and that any such app be open source.

gbdomubpkm commented 2 years ago

In simple terms, does this mean that the supposed security flaw does not exist ?

dobey commented 2 years ago

In simple terms, does this mean that the supposed security flaw does not exist ?

It means this isn't really a security flaw in the software itself. If you choose a trivial password, it will be trivial to guess it. This is not limited to Ubuntu Touch. Even if it were a six digit PIN, as is commonly used on iOS/Android, the password will be trivial to guess. Is it really a "privilege escalation exploit" because you can run sudo and have a trivial password? Is it a PE flaw that you can enable root from Android developer options?

If anything, the only "flaw" here is that sudo doesn't do escalating back-off for failures, nor does it provide any method of preventing the running of sudo after N failed attempts to run it. This is true on any platform where sudo can be used.

gbdomubpkm commented 2 years ago

Thanks @dobey for the explanation. Perhaps it should be considered that the "problem" raised has the utility of allowing to glimpse security points which could possibly be improved on UT.