[Bug 893821] Re: Shell expansion may allow privilege boundary crossing

Ganton 893821 at bugs.launchpad.net
Fri Dec 9 09:27:50 UTC 2011 

For more information: 
    The "cat /proc/[...]/environ" method that is used now there... is said to cause problems:
    - "you have multiple hosts"
    - "when more than one X session is used"
    - etc.

    In those two site talk more about it:
        http://www.rootninja.com/dbus-session-bus-address-with-applications-using-ssh/
        http://machine-cycle.blogspot.com/2010/12/ssh-and-dbus-sessions.html

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to acpid in Ubuntu.
https://bugs.launchpad.net/bugs/893821

Title:
  Shell expansion may allow privilege boundary crossing

Status in “acpid” package in Ubuntu:
  Fix Released

Bug description:
  Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh
  that could allow an attacker to execute arbitrary code as the user that
  is logged into the current X session. The prerequisites for the attack
  are as follows:

  1.) The attacker must be able to run an application on the system.

  2.) A power management daemon cannot be running. See $PMS in
  powerbtn.sh for the list of known daemons.

  3.) powerbtn.sh must be triggered. This may happen by pressing a power
  button in a bare-metal installation or by virsh shutdown in a
  virtualized environment.

  Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh:

  su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof
  kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus
  org.kde.kded"

  $(pidof kded4) returns the pid of any process(es) named kded4. Due to command 
  expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the 
  environ of any process, owned by any user, to be successfully read.

  The attacker may be running a "fake" kded4 binary which has a malicious
  DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject
  shell commands that would be expanded as $XUSER. This opens up the
  possibility of the attacker running code as $XUSER. The prerequisites
  listed above must be met in order for the vulnerable code to be
  exploited.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/acpid/+bug/893821/+subscriptions

More information about the foundations-bugs mailing list