Bug 432419 (CVE-2008-0595) - CVE-2008-0595 dbus security policy circumvention
Summary: CVE-2008-0595 dbus security policy circumvention
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2008-0595
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 432435 432436 432437 432438
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-11 22:08 UTC by Josh Bressers
Modified: 2019-09-29 12:23 UTC (History)
6 users (show)

Fixed In Version: 1.0.2-7.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-28 21:36:14 UTC


Attachments (Terms of Use)
Proposed patch (2.19 KB, patch)
2008-02-12 00:16 UTC, Josh Bressers
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0159 normal SHIPPED_LIVE Moderate: dbus security update 2008-02-27 21:29:16 UTC

Description Josh Bressers 2008-02-11 22:08:22 UTC
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
security policy.

Ray Strode describes it as such:
    When evaluating whether or not to invoke a method call, the bus daemon
    will look at the security policy and try to determine whether or not the
    caller is allowed access to the method call.

    Many dbus services have lines in their security policy of the form:

    <allow send_interface="some.interface.WithMethods"/>

    to explicitly whitelist the methods of a particular interface for users
    of a specific policy context.

    Normally dbus method calls are invoked fully qualified. That is to say
    the interface the method belongs to is passed to the bus daemon along
    with the method name of the method call. The bus daemon does not
    require method calls to be fully qualified, however. If a caller passes
    just the method with a NULL interface, then the bus daemon will try to
    find the interface with the corresponding method and invoke the method
    call on that interface.

    In these cases, the send_interface attribute of the allow directive is
    ignored.

    <allow send_interface="some.interface.WithMethods"/>

    is interpreted as an implicit <allow/>. This means that if dbus policy
    file contains any <allow send_interface="..." /> directives for a
    particular context, then it implicitly allows that context to invoke
    non-qualified method calls defined for any interface.

Comment 1 Josh Bressers 2008-02-12 00:16:55 UTC
Created attachment 294608 [details]
Proposed patch

Comment 4 Ray Strode [halfline] 2008-02-12 03:39:10 UTC
This doesn't affect rhel4 after all.  I rewrote the testcase in C using the dbus
0.22 api and I get a lovely assertion blown:

[Calling DoPowerfulThing without interface...18538: assertion failed "(interface
&& member) || (error_name) || !(interface || member || error_name)" file
"dbus-message.c" line 1060


The first clause of the assertion says that method calls need to be fully qualified.

Comment 6 Josh Bressers 2008-02-27 17:45:10 UTC
This is now public:
http://lists.freedesktop.org/archives/dbus/2008-February/009401.html

Comment 8 Fedora Update System 2008-02-28 21:36:10 UTC
dbus-1.0.2-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2008-02-28 21:39:30 UTC
dbus-1.1.2-9.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.