Ubuntu
network-manager package

com.canonical.NMOfono.ReadImsiContexts privilege escalation

Bug #1449245 reported by Seth Arnold
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
network-manager (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Utopic
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
Undecided
Marc Deslauriers

Bug Description

Tavis Ormandy reports the following:

Apparently you're not happy with me for discussing local privilege
escalation on oss-security, so as you requested, here's what appears
to be a problem in Ubuntu-specific code.

I thought I'd take a quick look at D-Bus services you add in Ubuntu
after the usb-creator bug, this one jumps out at me as incorrect:

http://bazaar.launchpad.net/~phablet-team/network-manager/ofono-format-cleanup/view/head:/debian/patches/add_ofono
_settings_support.patch#L718

Untested, but that really looks like you can call
com.canonical.NMOfono.ReadImsiContexts(imsi:"../../../tmp/whatever"),
and supply one of those glib keyfiles (i guess you just need to call
it "gprs")?

Tavis.

CVE References

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This is CVE-2015-1322

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Looks like there may indeed be a way to use this to read a properly formatted ini file meant to be read only by root. My understanding is that otherwise g_key_file_load_from_file will "simply" fail to parse the ini file, with whatever other implications that entails. NM would then be tricked into logging this data in syslog.

I think it's also not required at this time to be root to call that DBus method:
+ <policy context="default">
+ <deny own="com.canonical.NMOfono"/>
+ <allow send_destination="com.canonical.NMOfono"/>
+ </policy>
... Which is something that should be tested and changed if possible.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Here is a proposed fix.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

It was brought to my attention this was missing setting error when returning FALSE; as per the usual GLib standards. Attached is another version of the same patch.

Marc Deslauriers (mdeslaur)
Changed in network-manager (Ubuntu Trusty):
status: New → Confirmed
Changed in network-manager (Ubuntu Utopic):
status: New → Confirmed
Changed in network-manager (Ubuntu Vivid):
status: New → Confirmed
Changed in network-manager (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in network-manager (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in network-manager (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.9.8.8-0ubuntu28.1

---------------
network-manager (0.9.8.8-0ubuntu28.1) utopic-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue resulting in connection
    modification and possible arbitrary file disclosure (LP: #1449245)
    - debian/patches/CVE-2015-1322.patch: strip slashes from filename
      in src/settings/plugins/ofono/plugin.c.
    - CVE-2015-1322

 -- Marc Deslauriers <email address hidden> Tue, 28 Apr 2015 07:10:22 -0400

Changed in network-manager (Ubuntu Utopic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.9.8.8-0ubuntu7.1

---------------
network-manager (0.9.8.8-0ubuntu7.1) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue resulting in connection
    modification and possible arbitrary file disclosure (LP: #1449245)
    - debian/patches/CVE-2015-1322.patch: strip slashes from filename
      in src/settings/plugins/ofono/plugin.c.
    - CVE-2015-1322

 -- Marc Deslauriers <email address hidden> Tue, 28 Apr 2015 07:11:22 -0400

Changed in network-manager (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-manager - 0.9.10.0-4ubuntu15.1

---------------
network-manager (0.9.10.0-4ubuntu15.1) vivid-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue resulting in connection
    modification and possible arbitrary file disclosure (LP: #1449245)
    - debian/patches/CVE-2015-1322.patch: strip slashes from filename
      in src/settings/plugins/ofono/plugin.c.
    - CVE-2015-1322

 -- Marc Deslauriers <email address hidden> Tue, 28 Apr 2015 07:06:00 -0400

Changed in network-manager (Ubuntu Vivid):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.