[Bug 893821] Re: Shell expansion may allow privilege boundary crossing
Tyler Hicks
tyhicks at canonical.com
Fri Dec 9 15:20:18 UTC 2011
On 2011-12-09 08:36:20, Ganton wrote:
> I suggest changing those "pidof" that appear in the code (for example,
> in the patch).
Thanks for the suggestion, Ganton. The update did make the change from
pidof to pgrep. The script's new usage of pgrep uses the -n and -u
options.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to acpid in Ubuntu.
https://bugs.launchpad.net/bugs/893821
Title:
Shell expansion may allow privilege boundary crossing
Status in “acpid” package in Ubuntu:
Fix Released
Bug description:
Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
that could allow an attacker to execute arbitrary code as the user that
is logged into the current X session. The prerequisites for the attack
are as follows:
1.) The attacker must be able to run an application on the system.
2.) A power management daemon cannot be running. See $PMS in
powerbtn.sh for the list of known daemons.
3.) powerbtn.sh must be triggered. This may happen by pressing a power
button in a bare-metal installation or by virsh shutdown in a
virtualized environment.
Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:
su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
org.kde.kded"
$(pidof kded4) returns the pid of any process(es) named kded4. Due to command
expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the
environ of any process, owned by any user, to be successfully read.
The attacker may be running a "fake" kded4 binary which has a malicious
DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
shell commands that would be expanded as $XUSER. This opens up the
possibility of the attacker running code as $XUSER. The prerequisites
listed above must be met in order for the vulnerable code to be
exploited.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821/+subscriptions
More information about the foundations-bugs
mailing list