Bug 447466

Summary: fetching bogus D-Bus property crashes NetworkManager daemon
Product: [Fedora] Fedora Reporter: Ben Liblit <liblit>
Component: dbus-glibAssignee: Denis Leroy <denis>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: davidz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.74-8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-26 22:59:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
thread stack traces generated by NetworkManager's failure-logging system none

Description Ben Liblit 2008-05-20 00:02:52 UTC 
Description of problem:

Using D-Bus to request a non-existing property from a NetworkManager object
crashes the NetworkManager daemon.  This allows any (non-privileged) user to
kill NetworkManager, which in turn could conceivably have security implications.


Version-Release number of selected component (if applicable):

NetworkManager-0.7.0-0.9.3.svn3623.fc9.i386
dbus-1.2.1-1.fc9.i386
dbus-glib-0.74-6.fc9.i386
glib-1.2.10-29.fc9.i386


How reproducible:

100% reproducible.


Steps to Reproduce:
1. Ensure that NetworkManager is running.
2. Log on to the console.
3. Run the following command as the console user:

  dbus-send --system --print-reply --type=method_call \
  --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \
  org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \
  string:State

3. Run the following command as the console user, where "State" has been changed
to "BogusPropertyName":

  dbus-send --system --print-reply --type=method_call \
  --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \
  org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \
  string:BogusPropertyName

4. As root, run "service NetworkManager status" to check on the NetworkManager
daemon.


Actual results:

The first "dbus-send" command successfully fetches the State property.  However,
the second "dbus-send" command fails, reporting "Error
org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by
message bus)".  Lastly, the "service NetworkManager status" command shows that
the NetworkManager daemon has crashed and is no longer running.

Expected results:

NetworkManager should be robust in the face of arbitrary abuse from
non-privileged users.  The second "dbus-send" command should have reported some
sort of missing-property error but should not have crashed the daemon.  The
"service NetworkManager status" command should have showed the daemon still
alive and running after the attempt to fetch a bogus property.


Additional info:

I have no idea whether this vulnerability is NetworkManager-specific or would
affect other D-Bus services as well.  I'm reporting it against NetworkManager
because that's where I'm seeing it.
Comment 1 Ben Liblit 2008-05-20 00:02:52 UTC 
Created attachment 306032 [details]
thread stack traces generated by NetworkManager's failure-logging system
Comment 2 Ben Liblit 2008-05-23 22:16:02 UTC 
<https://bugs.freedesktop.org/show_bug.cgi?id=16079> has a patch, and states
that this is a dbus-glib bug.
Comment 3 Ben Liblit 2008-06-26 22:59:17 UTC 
Dan Williams claims to have fixed this in dbus-glib-0.74-8:

    * Tue May 27 2008 Dan Williams <dcbw> - 0.74-8
    - Handle unknown object properties without asserting (fdo #16079)
    - Handle GetAll() property names correctly (fdo #16114)
    - Enable the freeze-abi patch
    - Cherry-pick some fixes from upstream git