Vigil@nce: dbus, privilege elevation via autolaunch
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can use a suid root program linked to libdbus,
and start dbus-launch, in order to gain root privileges.
– Impacted products: Fedora, RHEL, SUSE Linux Enterprise Desktop,
SLES, Unix (platform)
– Severity: 2/4
– Creation date: 12/09/2012
DESCRIPTION OF THE VULNERABILITY
The D-Bus system is used by local applications, in order to
exchange messages.
The dbus-launch program starts a D-Bus daemon. If the
DBUS_SYSTEM_BUS_ADDRESS environment variable is set to
"autolaunch:", the dbus-launch program is automatically called by
applications linked to libdbus. The dbus-launch program is first
searched in /bin, then the PATH variable is used to find the
program.
However, if the application is suid, the libdbus library accepts
the load the DBUS_SYSTEM_BUS_ADDRESS and PATH variables. An
attacker can thus change the PATH so that it starts by a directory
containing a malicious program named dbus-launch. It can then use
the "autolaunch" mode, so that the malicious program is searched
in the PATH, and executed with privileges of the suid application.
A local attacker can therefore use a suid root program linked to
libdbus, and start dbus-launch, in order to gain root privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/dbus-privilege-elevation-via-autolaunch-11936