Bug 447466 - fetching bogus D-Bus property crashes NetworkManager daemon
Summary: fetching bogus D-Bus property crashes NetworkManager daemon
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: dbus-glib
Version: 9
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Denis Leroy
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-05-20 00:02 UTC by Ben Liblit
Modified: 2008-06-26 22:59 UTC (History)
1 user (show)

Fixed In Version: 0.74-8
Clone Of:
Environment:
Last Closed: 2008-06-26 22:59:17 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
thread stack traces generated by NetworkManager's failure-logging system (3.19 KB, text/plain)
2008-05-20 00:02 UTC, Ben Liblit 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
FreeDesktop.org 16079 0 None None None Never
GNOME Bugzilla 534544 0 None None None Never

Description Ben Liblit 2008-05-20 00:02:52 UTC 
Description of problem:

Using D-Bus to request a non-existing property from a NetworkManager object
crashes the NetworkManager daemon.  This allows any (non-privileged) user to
kill NetworkManager, which in turn could conceivably have security implications.


Version-Release number of selected component (if applicable):

NetworkManager-0.7.0-0.9.3.svn3623.fc9.i386
dbus-1.2.1-1.fc9.i386
dbus-glib-0.74-6.fc9.i386
glib-1.2.10-29.fc9.i386


How reproducible:

100% reproducible.


Steps to Reproduce:
1. Ensure that NetworkManager is running.
2. Log on to the console.
3. Run the following command as the console user:

  dbus-send --system --print-reply --type=method_call \
  --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \
  org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \
  string:State

3. Run the following command as the console user, where "State" has been changed
to "BogusPropertyName":

  dbus-send --system --print-reply --type=method_call \
  --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager \
  org.freedesktop.DBus.Properties.Get string:org.freedesktop.NetworkManager \
  string:BogusPropertyName

4. As root, run "service NetworkManager status" to check on the NetworkManager
daemon.


Actual results:

The first "dbus-send" command successfully fetches the State property.  However,
the second "dbus-send" command fails, reporting "Error
org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by
message bus)".  Lastly, the "service NetworkManager status" command shows that
the NetworkManager daemon has crashed and is no longer running.

Expected results:

NetworkManager should be robust in the face of arbitrary abuse from
non-privileged users.  The second "dbus-send" command should have reported some
sort of missing-property error but should not have crashed the daemon.  The
"service NetworkManager status" command should have showed the daemon still
alive and running after the attempt to fetch a bogus property.


Additional info:

I have no idea whether this vulnerability is NetworkManager-specific or would
affect other D-Bus services as well.  I'm reporting it against NetworkManager
because that's where I'm seeing it.
Comment 1 Ben Liblit 2008-05-20 00:02:52 UTC 
Created attachment 306032 [details]
thread stack traces generated by NetworkManager's failure-logging system
Comment 2 Ben Liblit 2008-05-23 22:16:02 UTC 
<https://bugs.freedesktop.org/show_bug.cgi?id=16079> has a patch, and states
that this is a dbus-glib bug.
Comment 3 Ben Liblit 2008-06-26 22:59:17 UTC 
Dan Williams claims to have fixed this in dbus-glib-0.74-8:

    * Tue May 27 2008 Dan Williams <dcbw> - 0.74-8
    - Handle unknown object properties without asserting (fdo #16079)
    - Handle GetAll() property names correctly (fdo #16114)
    - Enable the freeze-abi patch
    - Cherry-pick some fixes from upstream git
Note You need to log in before you can comment on or make changes to this bug.