orion / rpms / dbus

Forked from rpms/dbus a year ago
Clone
271b18
From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001
271b18
From: Simon McVittie <smcv@collabora.com>
271b18
Date: Thu, 30 May 2019 12:53:03 +0100
271b18
Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
271b18
 owner
271b18
271b18
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
271b18
of a shared home directory by having the server write a secret "cookie"
271b18
into a .dbus-keyrings subdirectory of the desired identity's home
271b18
directory with 0700 permissions, and having the client prove that it can
271b18
read the cookie. This never actually worked for non-malicious clients in
271b18
the case where server uid != client uid (unless the server and client
271b18
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
271b18
Unix uid 0) because an unprivileged server would fail to write out the
271b18
cookie, and an unprivileged client would be unable to read the resulting
271b18
file owned by the server.
271b18
271b18
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
271b18
is owned by the uid of the server (a side-effect of a check added to
271b18
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
271b18
by a non-malicious client with a uid differing from the server's.
271b18
271b18
Joe Vennix of Apple Information Security discovered that the
271b18
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
271b18
attack: a malicious client with write access to its own home directory
271b18
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
271b18
read and write in unintended locations. In the worst case this could
271b18
result in the DBusServer reusing a cookie that is known to the
271b18
malicious client, and treating that cookie as evidence that a subsequent
271b18
client connection came from an attacker-chosen uid, allowing
271b18
authentication bypass.
271b18
271b18
This is mitigated by the fact that by default, the well-known system
271b18
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
271b18
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
271b18
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
271b18
at an early stage, before manipulating cookies. As a result, this
271b18
vulnerability only applies to:
271b18
271b18
* system or session dbus-daemons with non-standard configuration
271b18
* third-party dbus-daemon invocations such as at-spi2-core (although
271b18
  in practice at-spi2-core also only accepts EXTERNAL by default)
271b18
* third-party uses of DBusServer such as the one in Upstart
271b18
271b18
Avoiding symlink attacks in a portable way is difficult, because APIs
271b18
like openat() and Linux /proc/self/fd are not universally available.
271b18
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
271b18
a non-matching uid, we can solve this vulnerability in an easier way
271b18
without regressions, by rejecting it early (before looking at
271b18
~/.dbus-keyrings) whenever the requested identity doesn't match the
271b18
identity of the process hosting the DBusServer.
271b18
271b18
Signed-off-by: Simon McVittie <smcv@collabora.com>
271b18
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
271b18
Closes: CVE-2019-12749
271b18
---
271b18
 dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
271b18
 1 file changed, 32 insertions(+)
271b18
271b18
diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
271b18
index 37d8d4c9..7390a9d5 100644
271b18
--- a/dbus/dbus-auth.c
271b18
+++ b/dbus/dbus-auth.c
271b18
@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth         *auth,
271b18
   DBusString tmp2;
271b18
   dbus_bool_t retval = FALSE;
271b18
   DBusError error = DBUS_ERROR_INIT;
271b18
+  DBusCredentials *myself = NULL;
271b18
 
271b18
   _dbus_string_set_length (&auth->challenge, 0);
271b18
   
271b18
@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth         *auth,
271b18
       return FALSE;
271b18
     }
271b18
 
271b18
+  myself = _dbus_credentials_new_from_current_process ();
271b18
+
271b18
+  if (myself == NULL)
271b18
+    goto out;
271b18
+
271b18
+  if (!_dbus_credentials_same_user (myself, auth->desired_identity))
271b18
+    {
271b18
+      /*
271b18
+       * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
271b18
+       * client is anyone other than the user owning the process
271b18
+       * containing the DBusServer: we probably aren't allowed to write
271b18
+       * to other users' home directories. Even if we can (for example
271b18
+       * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
271b18
+       * must not, because the other user controls their home directory,
271b18
+       * and could carry out symlink attacks to make us read from or
271b18
+       * write to unintended locations. It's difficult to avoid symlink
271b18
+       * attacks in a portable way, so we just don't try. This isn't a
271b18
+       * regression, because DBUS_COOKIE_SHA1 never worked for other
271b18
+       * users anyway.
271b18
+       */
271b18
+      _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
271b18
+                     "but that doesn't match this process",
271b18
+                     DBUS_AUTH_NAME (auth),
271b18
+                     _dbus_string_get_const_data (data));
271b18
+      retval = send_rejected (auth);
271b18
+      goto out;
271b18
+    }
271b18
+
271b18
   /* we cache the keyring for speed, so here we drop it if it's the
271b18
    * wrong one. FIXME caching the keyring here is useless since we use
271b18
    * a different DBusAuth for every connection.
271b18
@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth         *auth,
271b18
   _dbus_string_zero (&tmp2);
271b18
   _dbus_string_free (&tmp2);
271b18
 
271b18
+  if (myself != NULL)
271b18
+    _dbus_credentials_unref (myself);
271b18
+
271b18
   return retval;
271b18
 }
271b18
 
271b18
-- 
271b18
2.21.0
271b18