|
|
271b18 |
From 47b1a4c41004bf494b87370987b222c934b19016 Mon Sep 17 00:00:00 2001
|
|
|
271b18 |
From: Simon McVittie <smcv@collabora.com>
|
|
|
271b18 |
Date: Thu, 30 May 2019 12:53:03 +0100
|
|
|
271b18 |
Subject: [PATCH] auth: Reject DBUS_COOKIE_SHA1 for users other than the server
|
|
|
271b18 |
owner
|
|
|
271b18 |
|
|
|
271b18 |
The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
|
|
|
271b18 |
of a shared home directory by having the server write a secret "cookie"
|
|
|
271b18 |
into a .dbus-keyrings subdirectory of the desired identity's home
|
|
|
271b18 |
directory with 0700 permissions, and having the client prove that it can
|
|
|
271b18 |
read the cookie. This never actually worked for non-malicious clients in
|
|
|
271b18 |
the case where server uid != client uid (unless the server and client
|
|
|
271b18 |
both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
|
|
|
271b18 |
Unix uid 0) because an unprivileged server would fail to write out the
|
|
|
271b18 |
cookie, and an unprivileged client would be unable to read the resulting
|
|
|
271b18 |
file owned by the server.
|
|
|
271b18 |
|
|
|
271b18 |
Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
|
|
|
271b18 |
is owned by the uid of the server (a side-effect of a check added to
|
|
|
271b18 |
harden our use of XDG_RUNTIME_DIR), further ruling out successful use
|
|
|
271b18 |
by a non-malicious client with a uid differing from the server's.
|
|
|
271b18 |
|
|
|
271b18 |
Joe Vennix of Apple Information Security discovered that the
|
|
|
271b18 |
implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
|
|
|
271b18 |
attack: a malicious client with write access to its own home directory
|
|
|
271b18 |
could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
|
|
|
271b18 |
read and write in unintended locations. In the worst case this could
|
|
|
271b18 |
result in the DBusServer reusing a cookie that is known to the
|
|
|
271b18 |
malicious client, and treating that cookie as evidence that a subsequent
|
|
|
271b18 |
client connection came from an attacker-chosen uid, allowing
|
|
|
271b18 |
authentication bypass.
|
|
|
271b18 |
|
|
|
271b18 |
This is mitigated by the fact that by default, the well-known system
|
|
|
271b18 |
dbus-daemon (since 2003) and the well-known session dbus-daemon (in
|
|
|
271b18 |
stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
|
|
|
271b18 |
authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
|
|
|
271b18 |
at an early stage, before manipulating cookies. As a result, this
|
|
|
271b18 |
vulnerability only applies to:
|
|
|
271b18 |
|
|
|
271b18 |
* system or session dbus-daemons with non-standard configuration
|
|
|
271b18 |
* third-party dbus-daemon invocations such as at-spi2-core (although
|
|
|
271b18 |
in practice at-spi2-core also only accepts EXTERNAL by default)
|
|
|
271b18 |
* third-party uses of DBusServer such as the one in Upstart
|
|
|
271b18 |
|
|
|
271b18 |
Avoiding symlink attacks in a portable way is difficult, because APIs
|
|
|
271b18 |
like openat() and Linux /proc/self/fd are not universally available.
|
|
|
271b18 |
However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
|
|
|
271b18 |
a non-matching uid, we can solve this vulnerability in an easier way
|
|
|
271b18 |
without regressions, by rejecting it early (before looking at
|
|
|
271b18 |
~/.dbus-keyrings) whenever the requested identity doesn't match the
|
|
|
271b18 |
identity of the process hosting the DBusServer.
|
|
|
271b18 |
|
|
|
271b18 |
Signed-off-by: Simon McVittie <smcv@collabora.com>
|
|
|
271b18 |
Closes: https://gitlab.freedesktop.org/dbus/dbus/issues/269
|
|
|
271b18 |
Closes: CVE-2019-12749
|
|
|
271b18 |
---
|
|
|
271b18 |
dbus/dbus-auth.c | 32 ++++++++++++++++++++++++++++++++
|
|
|
271b18 |
1 file changed, 32 insertions(+)
|
|
|
271b18 |
|
|
|
271b18 |
diff --git a/dbus/dbus-auth.c b/dbus/dbus-auth.c
|
|
|
271b18 |
index 37d8d4c9..7390a9d5 100644
|
|
|
271b18 |
--- a/dbus/dbus-auth.c
|
|
|
271b18 |
+++ b/dbus/dbus-auth.c
|
|
|
271b18 |
@@ -529,6 +529,7 @@ sha1_handle_first_client_response (DBusAuth *auth,
|
|
|
271b18 |
DBusString tmp2;
|
|
|
271b18 |
dbus_bool_t retval = FALSE;
|
|
|
271b18 |
DBusError error = DBUS_ERROR_INIT;
|
|
|
271b18 |
+ DBusCredentials *myself = NULL;
|
|
|
271b18 |
|
|
|
271b18 |
_dbus_string_set_length (&auth->challenge, 0);
|
|
|
271b18 |
|
|
|
271b18 |
@@ -565,6 +566,34 @@ sha1_handle_first_client_response (DBusAuth *auth,
|
|
|
271b18 |
return FALSE;
|
|
|
271b18 |
}
|
|
|
271b18 |
|
|
|
271b18 |
+ myself = _dbus_credentials_new_from_current_process ();
|
|
|
271b18 |
+
|
|
|
271b18 |
+ if (myself == NULL)
|
|
|
271b18 |
+ goto out;
|
|
|
271b18 |
+
|
|
|
271b18 |
+ if (!_dbus_credentials_same_user (myself, auth->desired_identity))
|
|
|
271b18 |
+ {
|
|
|
271b18 |
+ /*
|
|
|
271b18 |
+ * DBUS_COOKIE_SHA1 is not suitable for authenticating that the
|
|
|
271b18 |
+ * client is anyone other than the user owning the process
|
|
|
271b18 |
+ * containing the DBusServer: we probably aren't allowed to write
|
|
|
271b18 |
+ * to other users' home directories. Even if we can (for example
|
|
|
271b18 |
+ * uid 0 on traditional Unix or CAP_DAC_OVERRIDE on Linux), we
|
|
|
271b18 |
+ * must not, because the other user controls their home directory,
|
|
|
271b18 |
+ * and could carry out symlink attacks to make us read from or
|
|
|
271b18 |
+ * write to unintended locations. It's difficult to avoid symlink
|
|
|
271b18 |
+ * attacks in a portable way, so we just don't try. This isn't a
|
|
|
271b18 |
+ * regression, because DBUS_COOKIE_SHA1 never worked for other
|
|
|
271b18 |
+ * users anyway.
|
|
|
271b18 |
+ */
|
|
|
271b18 |
+ _dbus_verbose ("%s: client tried to authenticate as \"%s\", "
|
|
|
271b18 |
+ "but that doesn't match this process",
|
|
|
271b18 |
+ DBUS_AUTH_NAME (auth),
|
|
|
271b18 |
+ _dbus_string_get_const_data (data));
|
|
|
271b18 |
+ retval = send_rejected (auth);
|
|
|
271b18 |
+ goto out;
|
|
|
271b18 |
+ }
|
|
|
271b18 |
+
|
|
|
271b18 |
/* we cache the keyring for speed, so here we drop it if it's the
|
|
|
271b18 |
* wrong one. FIXME caching the keyring here is useless since we use
|
|
|
271b18 |
* a different DBusAuth for every connection.
|
|
|
271b18 |
@@ -679,6 +708,9 @@ sha1_handle_first_client_response (DBusAuth *auth,
|
|
|
271b18 |
_dbus_string_zero (&tmp2);
|
|
|
271b18 |
_dbus_string_free (&tmp2);
|
|
|
271b18 |
|
|
|
271b18 |
+ if (myself != NULL)
|
|
|
271b18 |
+ _dbus_credentials_unref (myself);
|
|
|
271b18 |
+
|
|
|
271b18 |
return retval;
|
|
|
271b18 |
}
|
|
|
271b18 |
|
|
|
271b18 |
--
|
|
|
271b18 |
2.21.0
|
|
|
271b18 |
|