• Simon McVittie's avatar
    auth: Reject DBUS_COOKIE_SHA1 for users other than the server owner · 47b1a4c4
    Simon McVittie authored
    The DBUS_COOKIE_SHA1 authentication mechanism aims to prove ownership
    of a shared home directory by having the server write a secret "cookie"
    into a .dbus-keyrings subdirectory of the desired identity's home
    directory with 0700 permissions, and having the client prove that it can
    read the cookie. This never actually worked for non-malicious clients in
    the case where server uid != client uid (unless the server and client
    both have privileges, such as Linux CAP_DAC_OVERRIDE or traditional
    Unix uid 0) because an unprivileged server would fail to write out the
    cookie, and an unprivileged client would be unable to read the resulting
    file owned by the server.
    
    Additionally, since dbus 1.7.10 we have checked that ~/.dbus-keyrings
    is owned by the uid of the server (a side-effect of a check added to
    harden our use of XDG_RUNTIME_DIR), further ruling out successful use
    by a non-malicious client with a uid differing from the server's.
    
    Joe Vennix of Apple Information Security discovered that the
    implementation of DBUS_COOKIE_SHA1 was susceptible to a symbolic link
    attack: a malicious client with write access to its own home directory
    could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to
    read and write in unintended locations. In the worst case this could
    result in the DBusServer reusing a cookie that is known to the
    malicious client, and treating that cookie as evidence that a subsequent
    client connection came from an attacker-chosen uid, allowing
    authentication bypass.
    
    This is mitigated by the fact that by default, the well-known system
    dbus-daemon (since 2003) and the well-known session dbus-daemon (in
    stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL
    authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1
    at an early stage, before manipulating cookies. As a result, this
    vulnerability only applies to:
    
    * system or session dbus-daemons with non-standard configuration
    * third-party dbus-daemon invocations such as at-spi2-core (although
      in practice at-spi2-core also only accepts EXTERNAL by default)
    * third-party uses of DBusServer such as the one in Upstart
    
    Avoiding symlink attacks in a portable way is difficult, because APIs
    like openat() and Linux /proc/self/fd are not universally available.
    However, because DBUS_COOKIE_SHA1 already doesn't work in practice for
    a non-matching uid, we can solve this vulnerability in an easier way
    without regressions, by rejecting it early (before looking at
    ~/.dbus-keyrings) whenever the requested identity doesn't match the
    identity of the process hosting the DBusServer.
    Signed-off-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
    Closes: #269
    Closes: CVE-2019-12749
    47b1a4c4
Name
Last commit
Last update
bus Loading commit data...
cmake Loading commit data...
dbus Loading commit data...
doc Loading commit data...
m4 Loading commit data...
test Loading commit data...
tools Loading commit data...
.gitignore Loading commit data...
.gitlab-ci.yml Loading commit data...
.mailmap Loading commit data...
.travis.yml Loading commit data...
AUTHORS Loading commit data...
CONTRIBUTING.md Loading commit data...
COPYING Loading commit data...
ChangeLog Loading commit data...
ChangeLog.pre-1-0 Loading commit data...
ChangeLog.pre-1-2 Loading commit data...
Doxyfile.in Loading commit data...
INSTALL Loading commit data...
Makefile.am Loading commit data...
NEWS Loading commit data...
NEWS.pre-1-0 Loading commit data...
NEWS.pre-1-2 Loading commit data...
README Loading commit data...
README.cmake Loading commit data...
README.cygwin Loading commit data...
README.launchd Loading commit data...
README.valgrind Loading commit data...
README.win Loading commit data...
README.wince Loading commit data...
autogen.sh Loading commit data...
cleanup-man-pages.sh Loading commit data...
configure.ac Loading commit data...
dbus-1-uninstalled.pc.in Loading commit data...
dbus-1.pc.in Loading commit data...