[Bug 893821] Re: Shell expansion may allow privilege boundary crossing

Tyler Hicks tyhicks at canonical.com
Fri Dec 9 15:26:51 UTC 2011 

On 2011-12-09 09:27:50, Ganton wrote:
> For more information: 
>     The "cat /proc/[...]/environ" method that is used now there... is said to cause problems:
>     - "you have multiple hosts"
>     - "when more than one X session is used"
>     - etc.

That's a good point. However, this was strictly a security update that
focused on preventing powerbtn.sh from being fooled into executing code
provided by another user.

Completely changing how the DBUS session bus address is retrieved in all
of the ACPI scripts was outside of the scope for this update. You may
want to consider opening a separate bug for the issue you raised.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to acpid in Ubuntu.
https://bugs.launchpad.net/bugs/893821

Title:
  Shell expansion may allow privilege boundary crossing

Status in “acpid” package in Ubuntu:
  Fix Released

Bug description:
  Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
  that could allow an attacker to execute arbitrary code as the user that
  is logged into the current X session. The prerequisites for the attack
  are as follows:

  1.) The attacker must be able to run an application on the system.

  2.) A power management daemon cannot be running. See $PMS in
  powerbtn.sh for the list of known daemons.

  3.) powerbtn.sh must be triggered. This may happen by pressing a power
  button in a bare-metal installation or by virsh shutdown in a
  virtualized environment.

  Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:

  su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
  kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
  org.kde.kded"

  $(pidof kded4) returns the pid of any process(es) named kded4. Due to command 
  expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the 
  environ of any process, owned by any user, to be successfully read.

  The attacker may be running a "fake" kded4 binary which has a malicious
  DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
  shell commands that would be expanded as $XUSER. This opens up the
  possibility of the attacker running code as $XUSER. The prerequisites
  listed above must be met in order for the vulnerable code to be
  exploited.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821/+subscriptions

More information about the foundations-bugs mailing list