Bug 432419 - (CVE-2008-0595) CVE-2008-0595 dbus security policy circumvention
CVE-2008-0595 dbus security policy circumvention
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 432435 432436 432437 432438
  Show dependency treegraph
Reported: 2008-02-11 17:08 EST by Josh Bressers
Modified: 2016-06-17 17:14 EDT (History)
6 users (show)

See Also:
Fixed In Version: 1.0.2-7.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-28 16:36:14 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (2.19 KB, patch)
2008-02-11 19:16 EST, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2008-02-11 17:08:22 EST
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
security policy.

Ray Strode describes it as such:
    When evaluating whether or not to invoke a method call, the bus daemon
    will look at the security policy and try to determine whether or not the
    caller is allowed access to the method call.

    Many dbus services have lines in their security policy of the form:

    <allow send_interface="some.interface.WithMethods"/>

    to explicitly whitelist the methods of a particular interface for users
    of a specific policy context.

    Normally dbus method calls are invoked fully qualified. That is to say
    the interface the method belongs to is passed to the bus daemon along
    with the method name of the method call. The bus daemon does not
    require method calls to be fully qualified, however. If a caller passes
    just the method with a NULL interface, then the bus daemon will try to
    find the interface with the corresponding method and invoke the method
    call on that interface.

    In these cases, the send_interface attribute of the allow directive is

    <allow send_interface="some.interface.WithMethods"/>

    is interpreted as an implicit <allow/>. This means that if dbus policy
    file contains any <allow send_interface="..." /> directives for a
    particular context, then it implicitly allows that context to invoke
    non-qualified method calls defined for any interface.
Comment 1 Josh Bressers 2008-02-11 19:16:55 EST
Created attachment 294608 [details]
Proposed patch
Comment 4 Ray Strode [halfline] 2008-02-11 22:39:10 EST
This doesn't affect rhel4 after all.  I rewrote the testcase in C using the dbus
0.22 api and I get a lovely assertion blown:

[Calling DoPowerfulThing without interface...18538: assertion failed "(interface
&& member) || (error_name) || !(interface || member || error_name)" file
"dbus-message.c" line 1060

The first clause of the assertion says that method calls need to be fully qualified.
Comment 6 Josh Bressers 2008-02-27 12:45:10 EST
This is now public:
Comment 8 Fedora Update System 2008-02-28 16:36:10 EST
dbus-1.0.2-7.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-02-28 16:39:30 EST
dbus-1.1.2-9.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.