Red Hat Bugzilla – Bug 447466
fetching bogus D-Bus property crashes NetworkManager daemon
Last modified: 2008-06-26 18:59:17 EDT
Description of problem: Using D-Bus to request a non-existing property from a NetworkManager object crashes the NetworkManager daemon. This allows any (non-privileged) user to kill NetworkManager, which in turn could conceivably have security implications. Version-Release number of selected component (if applicable): NetworkManager-0.7.0-0.9.3.svn3623.fc9.i386 dbus-1.2.1-1.fc9.i386 dbus-glib-0.74-6.fc9.i386 glib-1.2.10-29.fc9.i386 How reproducible: 100% reproducible. Steps to Reproduce: 1. Ensure that NetworkManager is running. 2. Log on to the console. 3. Run the following command as the console user: dbus-send --system --print-reply --type=method_call \ --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \ org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \ string:State 3. Run the following command as the console user, where "State" has been changed to "BogusPropertyName": dbus-send --system --print-reply --type=method_call \ --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \ org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \ string:BogusPropertyName 4. As root, run "service NetworkManager status" to check on the NetworkManager daemon. Actual results: The first "dbus-send" command successfully fetches the State property. However, the second "dbus-send" command fails, reporting "Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)". Lastly, the "service NetworkManager status" command shows that the NetworkManager daemon has crashed and is no longer running. Expected results: NetworkManager should be robust in the face of arbitrary abuse from non-privileged users. The second "dbus-send" command should have reported some sort of missing-property error but should not have crashed the daemon. The "service NetworkManager status" command should have showed the daemon still alive and running after the attempt to fetch a bogus property. Additional info: I have no idea whether this vulnerability is NetworkManager-specific or would affect other D-Bus services as well. I'm reporting it against NetworkManager because that's where I'm seeing it.
Created attachment 306032 [details] thread stack traces generated by NetworkManager's failure-logging system
<https://bugs.freedesktop.org/show_bug.cgi?id=16079> has a patch, and states that this is a dbus-glib bug.
Dan Williams claims to have fixed this in dbus-glib-0.74-8: * Tue May 27 2008 Dan Williams <dcbw@redhat.com> - 0.74-8 - Handle unknown object properties without asserting (fdo #16079) - Handle GetAll() property names correctly (fdo #16114) - Enable the freeze-abi patch - Cherry-pick some fixes from upstream git