D-BUS Allows Local Users to Connect to the Session Bus
|
|
SecurityTracker Alert ID: 1013075
|
|
SecurityTracker URL: http://securitytracker.com/id?1013075
|
|
CVE Reference: CAN-2005-0201
(Links to External Site)
|
Date: Feb 3 2005
|
Impact: Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 0.23 and prior versions
|
Description: A vulnerability was reported in D-BUS. A local user can send D-BUS messages to other users.
Daniel Reed reported that the session bus does not restrict connections base on the user's uid. A local user can invoke dbus-send to connect to another user's session bus.
The flaw resides in 'bus/policy.c'.
|
Impact: A local user can send D-BUS messages to other users.
|
Solution: A patch is available at:
https://bugs.freedesktop.org/show_bug.cgi?id=2436
|
Vendor URL: www.freedesktop.org/Software/dbus (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 3 Feb 2005 00:39:20 -0500
Subject: http://bugs.freedesktop.org/show_bug.cgi?id=2436
|
Reported by: Daniel Reed
Subject: session bus does not restrict connections base on uid
If I login as root and create a session bus, then login as another user, I am
able to use dbus-send to connect to root's session bus.
To reproduce:
Login as root, open a terminal, echo $DBUS_SESSION_BUS_ADDRESS, write down the
address.
Run dbus-monitor --session
Login as another user on a console, run:
env DBUS_SESSION_BUS_ADDRESS=(address written down above) dbus-send
--dest=org.freedesktop.DBus --type=method_call --print-reply
/org/freedesktop/DBus org.freedesktop.DBus.ListServices
The dbus-send gives a message about not being able to print the return value,
and the dbus-monitor on root's session bus shows the ListServices request coming
through.
|
|
