[Bug 893821] Re: Shell expansion may allow privilege boundary crossing

Ganton 893821 at bugs.launchpad.net
Fri Dec 9 08:36:20 UTC 2011 

> sbeattie also pointed out that $(pidof kded4) returning
> multiple pids could be problematic.
And that's true. 

For example, if I use ssh to access a remote machine, which is using KDE:
    ganton at t1:~$ pidof kded4
    12511 1382
those were two results returned.

For more information:
    ganton at t1:~$ ps aux | grep [1]2511
    root     12511  0.0  0.8  79700  5300 ?        S    Dec06   0:07 kdeinit4: kded4 [kdeinit]  
    ganton at t1:~$ ps aux | grep [1]382
    ganton        1382  0.0  7.1 266424 45632 ?        Sl   Dec06   0:43 kdeinit4: kded4 [kdeinit] 
we see that there are two process named "kded4", one for "root" and another for the user "ganton".

But if something like "pgrep -u" is used:
    ganton at t1:~$ pgrep "kded4" -u "$USER"
    1382
there is no "two results returned" problem.

I suggest changing those "pidof" that appear in the code (for example,
in the patch).

Thanks for the work!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to acpid in Ubuntu.
https://bugs.launchpad.net/bugs/893821

Title:
  Shell expansion may allow privilege boundary crossing

Status in “acpid” package in Ubuntu:
  Fix Released

Bug description:
  Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
  that could allow an attacker to execute arbitrary code as the user that
  is logged into the current X session. The prerequisites for the attack
  are as follows:

  1.) The attacker must be able to run an application on the system.

  2.) A power management daemon cannot be running. See $PMS in
  powerbtn.sh for the list of known daemons.

  3.) powerbtn.sh must be triggered. This may happen by pressing a power
  button in a bare-metal installation or by virsh shutdown in a
  virtualized environment.

  Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:

  su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
  kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
  org.kde.kded"

  $(pidof kded4) returns the pid of any process(es) named kded4. Due to command 
  expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the 
  environ of any process, owned by any user, to be successfully read.

  The attacker may be running a "fake" kded4 binary which has a malicious
  DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
  shell commands that would be expanded as $XUSER. This opens up the
  possibility of the attacker running code as $XUSER. The prerequisites
  listed above must be met in order for the vulnerable code to be
  exploited.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821/+subscriptions

More information about the foundations-bugs mailing list