It was discovered that the GNOME Display Manager (gdm) cleared the cache directory, which is owned by an unprivileged user, with the privileges of the root user. A race condition exists in gdm where a local user could take advantage of this by writing to the cache directory between ending the session and the signal to clean up the session, which could lead to the execution of arbitrary code as the root user.
Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.
This attack targets code that "caches" (copies) users' dmrc and face image files from user's home directory to /var/cache/gdm/$USER . This feature was added in gdm version 2.28.0 according to the NEWS file:
- Now the user's dmrc and face image files are stored in /var/cache/gdm, so
that the login process does not need to access the user's $HOME directory
before authentication. Refer to bug #565151.
Upstream commit and related bugs:
So this is going to be really really hard to exploit in RHEL 6 because of some patches we ship that SIGTERM the worker process before gdm_session_worker_cache_userfiles runs.
I say really really hard and not "impossible" because it's still theoretically possible to hit this bug if all of:
1) the dbus_connection_send call in gdm_session_direct_handle_session_exited decides to perform an immediate instead deferred send for the SessionExited reply message (it varies at run time what it will do)
2) the ck_connector_close_session call in session_worker_child_watch and associated blocking consolekit work are effectively instantaneous
3) the slave takes a longer than normal time to shut down and get to the stop_all_conversations call that leads to the worker getting killed.
4) the race in the exploit wins
So we're in a lot better shape than upstream here.
Created attachment 487587 [details]
Patch from Ray Strode
Makes sure that gdm worker process forks + drops privileges before running user files caching code, to match the behaviour at the beginning of the session.
As noted in comment #7, change in RHEL6 gdm version cause that this caching at the end of the session does not get executed.
Public via upstream v2.32.1 release announcement:
Created gdm tracking bugs for this issue
Affects: fedora-all [bug 691496]
This issue did NOT affect the versions of the gdm package, as shipped
with Red Hat Enterprise Linux 4 and 5.
This issue affects the version of the gdm package, as shipped with
Red Hat Enterprise Linux 6.
This issue affects the versions of the gdm package, as shipped with
Fedora release of 13 and 14.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2011:0395 https://rhn.redhat.com/errata/RHSA-2011-0395.html