809437 – (CVE-2012-1615) CVE-2012-1615 Merely installing sectool grants some permissions to users?

Bug 809437 (CVE-2012-1615) - CVE-2012-1615 Merely installing sectool grants some permissions to users?

Summary: CVE-2012-1615 Merely installing sectool grants some permissions to users?

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-1615
Product:	Fedora
Classification:	Fedora
Component:	sectool
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Peter Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-03 11:33 UTC by Mathieu Bridon
Modified:	2012-05-26 07:47 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sectool-0.9.5-7.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-06 21:33:01 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mathieu Bridon 2012-04-03 11:33:48 UTC

My user is in the wheel group:
  $ id
  uid=1000(mathieu) gid=1000(mathieu) groups=1000(mathieu),10(wheel),990(mock)
  context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

It's not a super user:
  $ systemctl status crond.service
  crond.service - Command Scheduler
	  Loaded: loaded (/lib/systemd/system/crond.service; enabled)
	  Active: active (running) since Mon, 02 Apr 2012 09:48:36 +0800; 1 day and 9h ago
	Main PID: 888 (crond)
  $ systemctl restart crond.service
  Failed to issue method call: Access denied

But it's an "administrator" for PolicyKit and sudo:
  $ sudo systemctl restart crond.service
  [sudo] password for mathieu: 
  $ systemctl status crond.service
  crond.service - Command Scheduler
	  Loaded: loaded (/lib/systemd/system/crond.service; enabled)
	  Active: active (running) since Tue, 03 Apr 2012 19:22:27 +0800; 4s ago
	Main PID: 9932 (crond)
  [... snip ...]

Now, after I install sectool, things change:
  $ systemctl restart crond.service
  $ systemctl status crond.service
  crond.service - Command Scheduler
	  Loaded: loaded (/lib/systemd/system/crond.service; enabled)
	  Active: active (running) since Tue, 03 Apr 2012 19:23:02 +0800; 1s ago
	Main PID: 9954 (crond)
  [... snip ...]


It doesn't seem right that installing a package suddenly grants my user new permissions.

This was first observed by Colin (CC-ed) on Mageia, but I can confirm it also happens on Fedora 16 with sectool-0.9.5-4.fc15.x86_64.rpm

Comment 1 Michal Schmidt 2012-04-03 11:47:08 UTC

Colin also identified the specific file that causes it: org.fedoraproject.sectool.mechanism.conf

When the file is moved away from /etc/dbus-1/system.d/, the bug goes away.

I suspect this piece:
  <policy context="default">
      <allow ...something... />
      <allow send_type="method_call"/>
  </policy>

I don't know the DBus language, but I assume the two <allow> directives are treated independently. So any method calls to anything get allowed :-)

Comment 2 Colin Guthrie 2012-04-03 12:00:48 UTC

Yup, that sounds likely Michal (I'm also don't speak DBus policy, so can't offer any more than that!).

Just for clarity, it doesn't matter what groups your user is in. My test user not in the wheel group could quite happily fiddle about with stuff. This would appear to tie in with Michal's observations too.

Comment 3 Jaroslav Reznik 2012-04-03 14:07:05 UTC

I expect the two allow directives has the desired meaning only while combined in one <allow send_destination="org.fedoraproject.sectool.mechanism" send_type="method_call"/>. This would mean - allow method_call for destination .sectool (but see later).

Because according to dbus-daemon manual page, method_call is denied by default. But "The <deny> element's attributes determine whether the deny "matches" a particular action. If it matches, the action is denied *(unless later rules in the config file allow it)*.". So the allow send_type without a specific destination overrides it.

I checked .conf files for other PK based mechanisms and it's not needed to allow method_call, it's allowed just by allow send_destination. Then the easiest fix is to remove the offending line, sectool works and there's no privileges escalations. I just wonder in how many other dbus services we can find this...

Man page: http://dbus.freedesktop.org/doc/dbus-daemon.1.html

Btw. it's just my observation and it's not clear from man page and I don't speak DBus policy language neither :)

Comment 4 Fedora Update System 2012-04-03 14:54:35 UTC

sectool-0.9.5-7.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/sectool-0.9.5-7.fc17

Comment 5 Fedora Update System 2012-04-03 15:26:55 UTC

sectool-0.9.5-7.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sectool-0.9.5-7.fc16

Comment 6 Vincent Danen 2012-04-03 22:49:50 UTC

Looks like the patch to fix this is here:

http://pkgs.fedoraproject.org/gitweb/?p=sectool.git;a=blob;f=sectool-0.9.5-dbus.patch;h=aedb3ef7f7e5ab22d5438bfb7eee63489ccf3244;hb=4859832281f0e08c6fbe48fc252c4199a0e9e322

But is not yet upstream.  We'll need to request a CVE for this.

Comment 7 Vincent Danen 2012-04-03 22:55:28 UTC

CVE request and notification on oss-security:

http://openwall.com/lists/oss-security/2012/04/03/8

Comment 8 Kurt Seifried 2012-04-04 03:08:36 UTC

Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/04/04/2

Comment 9 Fedora Update System 2012-04-06 21:33:01 UTC

sectool-0.9.5-7.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2012-05-26 07:47:02 UTC

sectool-0.9.5-7.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.