Vigil@nce: D-Bus, denial of service via recursion
December 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can send a D-Bus message containing several
nested "variant", in order to stop the service.
– Severity: 1/4
– Creation date: 16/12/2010
DESCRIPTION OF THE VULNERABILITY
The D-Bus service is used by applications to communicate via
messages sent on a bus. Data of D-Bus messages are stored in four
types of containers:
– array
– structure : pre-defined fields
– dictionary : associative array
– variant : dynamic type
The D-Bus specification limits to 32 the number of nestings for
"array", "structure" and "dictionary". However, the "variant" type
is not limited.
The D-Bus implementation in the FreeDesktop Dbus suite also does
not limit the number of nestings for the "variant" type. When a
message is received, it is checked. Each nesting level calls a
checking function, which consumes a part of the execution stack.
When the number of nestings is too high, the stacks gets filled,
and a segmentation error occurs.
A local attacker can therefore send a D-Bus message containing
several nested "variant", in order to stop the service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/D-Bus-denial-of-service-via-recursion-10226