Bug 447466 - fetching bogus D-Bus property crashes NetworkManager daemon
fetching bogus D-Bus property crashes NetworkManager daemon
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: dbus-glib (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Denis Leroy
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-05-19 20:02 EDT by Ben Liblit
Modified: 2008-06-26 18:59 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.74-8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-26 18:59:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
thread stack traces generated by NetworkManager's failure-logging system (3.19 KB, text/plain)
2008-05-19 20:02 EDT, Ben Liblit
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Desktop 534544 None None None Never
FreeDesktop.org 16079 None None None Never

  None (edit)
Description Ben Liblit 2008-05-19 20:02:52 EDT
Description of problem:

Using D-Bus to request a non-existing property from a NetworkManager object
crashes the NetworkManager daemon.  This allows any (non-privileged) user to
kill NetworkManager, which in turn could conceivably have security implications.


Version-Release number of selected component (if applicable):

NetworkManager-0.7.0-0.9.3.svn3623.fc9.i386
dbus-1.2.1-1.fc9.i386
dbus-glib-0.74-6.fc9.i386
glib-1.2.10-29.fc9.i386


How reproducible:

100% reproducible.


Steps to Reproduce:
1. Ensure that NetworkManager is running.
2. Log on to the console.
3. Run the following command as the console user:

  dbus-send --system --print-reply --type=method_call \
  --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \
  org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \
  string:State

3. Run the following command as the console user, where "State" has been changed
to "BogusPropertyName":

  dbus-send --system --print-reply --type=method_call \
  --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \
  org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \
  string:BogusPropertyName

4. As root, run "service NetworkManager status" to check on the NetworkManager
daemon.


Actual results:

The first "dbus-send" command successfully fetches the State property.  However,
the second "dbus-send" command fails, reporting "Error
org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by
message bus)".  Lastly, the "service NetworkManager status" command shows that
the NetworkManager daemon has crashed and is no longer running.

Expected results:

NetworkManager should be robust in the face of arbitrary abuse from
non-privileged users.  The second "dbus-send" command should have reported some
sort of missing-property error but should not have crashed the daemon.  The
"service NetworkManager status" command should have showed the daemon still
alive and running after the attempt to fetch a bogus property.


Additional info:

I have no idea whether this vulnerability is NetworkManager-specific or would
affect other D-Bus services as well.  I'm reporting it against NetworkManager
because that's where I'm seeing it.
Comment 1 Ben Liblit 2008-05-19 20:02:52 EDT
Created attachment 306032 [details]
thread stack traces generated by NetworkManager's failure-logging system
Comment 2 Ben Liblit 2008-05-23 18:16:02 EDT
<https://bugs.freedesktop.org/show_bug.cgi?id=16079> has a patch, and states
that this is a dbus-glib bug.
Comment 3 Ben Liblit 2008-06-26 18:59:17 EDT
Dan Williams claims to have fixed this in dbus-glib-0.74-8:

    * Tue May 27 2008 Dan Williams <dcbw@redhat.com> - 0.74-8
    - Handle unknown object properties without asserting (fdo #16079)
    - Handle GetAll() property names correctly (fdo #16114)
    - Enable the freeze-abi patch
    - Cherry-pick some fixes from upstream git

Note You need to log in before you can comment on or make changes to this bug.