** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to accountsservice in Ubuntu. https://bugs.launchpad.net/bugs/2024182
Title: GHSL-2023-139: use-after-free in user.c Status in accountsservice package in Ubuntu: In Progress Status in accountsservice source package in Focal: Fix Released Status in accountsservice source package in Jammy: Fix Released Status in accountsservice source package in Kinetic: Fix Released Status in accountsservice source package in Lunar: Fix Released Status in accountsservice source package in Mantic: In Progress Bug description: # GitHub Security Lab (GHSL) Vulnerability Report, accountsservice: `GHSL-2023-139` The [GitHub Security Lab](https://securitylab.github.com) team has identified a potential security vulnerability in [accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice). We are committed to working with you to help resolve this issue. In this report you will find everything you need to effectively coordinate a resolution of this issue with the GHSL team. If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at `security...@github.com` (please include `GHSL-2023-139` as a reference). If you are _NOT_ the correct point of contact for this report, please let us know! ## Summary An unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process. ## Product accountsservice ## Tested Version [22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7) The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS, but it is present on both. ## Details ### Use-after-free when `throw_error` is called (`GHSL-2023-139`) After receiving a D-Bus [method call](https://dbus.freedesktop.org/doc/dbus- specification.html#message-protocol-types), a D-Bus server is expected to send either a `METHOD_RETURN` or a `ERROR` message back to the client, _but not both_. This is done incorrectly in several places in accountsservice. For example, in [`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set- language.patch?h=import/22.08.8-1ubuntu7#n427): ```c static void user_change_language_authorized_cb (Daemon *daemon, User *user, GDBusMethodInvocation *context, gpointer data) { const gchar *language = data; if (!user_HOME_available (user)) { /* SetLanguage was probably called from a login greeter, and HOME not mounted and/or not decrypted. Hence don't save anything, or else accountsservice and ~/.pam_environment would become out of sync. */ throw_error (context, ERROR_FAILED, "not access to HOME yet so language not saved"); <===== 1 goto out; } <snip> out: accounts_user_complete_set_language (ACCOUNTS_USER (user), context); <===== 2 } ``` If `user_HOME_available` returns an error, then `throw_error` is called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN` is also sent at 2. This is incorrect D-Bus protocol, but the more serious problem is that it causes a use-after-free because both `throw_error` and `accounts_user_complete_set_language` decrease the reference count on `context`. In other words, `context` is freed by `throw_error` and a UAF occurs in `accounts_user_complete_set_language`. An attacker can trigger the bug above by causing `user_HOME_available` to fail, which they can do by deleting all the files from their home directory. But there are other incorrect uses of `throw_error` in `user.c` which are less inconvenient to trigger. For example, this command triggers a call to `throw_error` in `user_update_environment` due to the invalid characters in the string. ```bash dbus-send --system --print-reply --dest=org.freedesktop.Accounts /org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage string:'**' ``` On Ubuntu 23.04, the above command causes `accounts-daemon` to crash with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible harm. The difference is due to a recent [change in GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa) memory allocation: older versions of GLib used the "slice" allocator, but newer version uses the system allocator. The system allocator trashes the memory when it's freed in a way that causes the use-after- free to trigger a SIGSEGV, whereas the "slice" allocator doesn't trash the memory so the UAF goes unnoticed. #### Impact Exploitation is likely to be difficult, but this bug could potentially enable a local unprivileged attacker to gain root privileges. #### Remediation Always return immediately after calling `throw_error`. For example, it is done correctly in `user_change_background_file_authorized_cb`: ```c if (type != G_FILE_TYPE_REGULAR) { g_debug ("not a regular file\n"); throw_error (context, ERROR_FAILED, "file '%s' is not a regular file", filename); return; } ``` ## GitHub Security Advisories We recommend you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security- vulnerabilities/creating-a-security-advisory) for this finding. This also allows you to invite the GHSL team to collaborate and further discuss this finding in private before it is [published](https://help.github.com/en/github/managing-security- vulnerabilities/publishing-a-security-advisory). ## Credit This issue was discovered and reported by GHSL team member [@kevinbackhouse (Kevin Backhouse)](https://github.com/kevinbackhouse). ## Contact You can contact the GHSL team at `security...@github.com`, please include a reference to `GHSL-2023-139` in any communication regarding this issue. ## Disclosure Policy This report is subject to our [coordinated disclosure policy](https://securitylab.github.com/advisories#policy). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
