A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.
The `script_pre` and `script_post` options allow to pass arbitrary scripts that will be executed by root. The parameters are extracted in "daemon/controller.py:459", stored unmodified in a new `Instance` object and the only verification of the script path is performed in "plugins/base.py:222":
```
if not script.startswith("/"):
log.error("Relative paths cannot be used in script_pre or script_post. " \
+ "Use ${i:PROFILE_DIR}.")
return False
```
So the only requirement is that an absolute path is passed. Thus scripts under control of an unprivileged user can be passed here. This allows for a local root exploit.
The `script_pre` and `script_post` options allow to pass arbitrary scripts that will be executed by root. The parameters are extracted in "daemon/controller.py:459", stored unmodified in a new `Instance` object and the only verification of the script path is performed in "plugins/base.py:222": ``` if not script.startswith("/"): log.error("Relative paths cannot be used in script_pre or script_post. " \ + "Use ${i:PROFILE_DIR}.") return False ``` So the only requirement is that an absolute path is passed. Thus scripts under control of an unprivileged user can be passed here. This allows for a local root exploit.