[Bug 893821] Re: Shell expansion may allow privilege boundary crossing

[Heby Joseph]

** Also affects: acpid
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to acpid in Ubuntu.
https://bugs.launchpad.net/bugs/893821

Title:
  Shell expansion may allow privilege boundary crossing

Status in acpid:
  New
Status in “acpid” package in Ubuntu:
  Fix Released

Bug description:
  Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
  that could allow an attacker to execute arbitrary code as the user that
  is logged into the current X session. The prerequisites for the attack
  are as follows:

  1.) The attacker must be able to run an application on the system.

  2.) A power management daemon cannot be running. See $PMS in
  powerbtn.sh for the list of known daemons.

  3.) powerbtn.sh must be triggered. This may happen by pressing a power
  button in a bare-metal installation or by virsh shutdown in a
  virtualized environment.

  Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:

  su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
  kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
  org.kde.kded"

  $(pidof kded4) returns the pid of any process(es) named kded4. Due to command 
  expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the 
  environ of any process, owned by any user, to be successfully read.

  The attacker may be running a "fake" kded4 binary which has a malicious
  DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
  shell commands that would be expanded as $XUSER. This opens up the
  possibility of the attacker running code as $XUSER. The prerequisites
  listed above must be met in order for the vulnerable code to be
  exploited.

To manage notifications about this bug go to:
https://bugs.launchpad.net/acpid/+bug/893821/+subscriptions