Red Hat Bugzilla – Bug 432419
CVE-2008-0595 dbus security policy circumvention
Last modified: 2008-02-28 16:39:30 EST
Havoc Pennington discovered a flaw in the way the dbus-daemon applies its
Ray Strode describes it as such:
When evaluating whether or not to invoke a method call, the bus daemon
will look at the security policy and try to determine whether or not the
caller is allowed access to the method call.
Many dbus services have lines in their security policy of the form:
to explicitly whitelist the methods of a particular interface for users
of a specific policy context.
Normally dbus method calls are invoked fully qualified. That is to say
the interface the method belongs to is passed to the bus daemon along
with the method name of the method call. The bus daemon does not
require method calls to be fully qualified, however. If a caller passes
just the method with a NULL interface, then the bus daemon will try to
find the interface with the corresponding method and invoke the method
call on that interface.
In these cases, the send_interface attribute of the allow directive is
is interpreted as an implicit <allow/>. This means that if dbus policy
file contains any <allow send_interface="..." /> directives for a
particular context, then it implicitly allows that context to invoke
non-qualified method calls defined for any interface.
Created attachment 294608 [details]
This doesn't affect rhel4 after all. I rewrote the testcase in C using the dbus
0.22 api and I get a lovely assertion blown:
[Calling DoPowerfulThing without interface...18538: assertion failed "(interface
&& member) || (error_name) || !(interface || member || error_name)" file
"dbus-message.c" line 1060
The first clause of the assertion says that method calls need to be fully qualified.
This is now public:
dbus-1.0.2-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
dbus-1.1.2-9.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.