Bug 499243

Summary: Net::DBus::Object does not correctly validate requested method name to invoke
Product: [Fedora] Fedora Reporter: Daniel BerrangĂ© <berrange>
Component: perl-Net-DBusAssignee: Chris Weyl <cweyl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: berrange, cweyl, perl-devel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 12:23:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Berrangé 2009-05-05 18:55:16 UTC 
Description of problem:
There is a security issue in the implementation of Net::DBus::Object.

In the place where it dispatches RPC calls, it simply does

 $self->can($method_name)

so, it allows the dbus client to invoke any method that the service side object implements. Many service implementors would like ability to restrict this to just allow methods they explicitly export in the introspection XML data. 

Furthermore, the current check also allows direct invocation of several internal impl methods of Net::DBus::Object itself. 

This allows a remote client to do a denial of service by calling 'disconnect' which unregisters the object from the bus. It also allows the remote client to emit signals on the object which others clients may then act on. 

For the dbus 'system' bus, the service can be running as root, and client as an unprivileged user, so this flaw may allow a client to run things they shouldn't. While impact of being able to emit signals / invoke improper methods *may* be limited by the need to have ACLs registered with dbus system bus instance, the degree of protection depends on how well the app author wrote their ACLs. So one can't rely on this.

For the dbus 'session' bus, everything is running as unprivileged user, so impact is reasonably low, denial of service.

This issue is already public via upstream bug report

 https://rt.cpan.org/Ticket/Display.html?id=45034

And I have a patch available which should resolve it

  http://hg.berrange.com/libraries/net-dbus--devel?cs=be26112c5fdd

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Run the 'examples/example-service.pl' file from source tar.gz
2. In another terminal run

$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"

  
Actual results:
The 'disconnect' method was allowed

$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
method return sender=:1.61 -> dest=:1.62 reply_serial=2
   array [
      string "Hello"
      string " from example-service.pl"
   ]
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect
method return sender=:1.61 -> dest=:1.63 reply_serial=2
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
Error org.freedesktop.DBus.Error.UnknownMethod: Method "HelloWorld" with signature "s" on interface "org.designfu.SampleInterface" doesn't exist


Expected results:
The 'disconnect' method should be denied

$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
method return sender=:1.65 -> dest=:1.66 reply_serial=2
   array [
      string "Hello"
      string " from example-service.pl"
   ]
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect
Error org.freedesktop.DBus.Error.Failed: No such method SomeObject->disconnect
$ dbus-send  --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
method return sender=:1.65 -> dest=:1.68 reply_serial=2
   array [
      string "Hello"
      string " from example-service.pl"
   ]


Additional info:
Bug affects all Fedora releases.
Comment 1 Bug Zapper 2009-06-09 15:12:11 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 2 Bug Zapper 2010-04-27 14:08:37 UTC 
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Bug Zapper 2010-06-28 12:23:07 UTC 
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.