Public bug reported:
Summary
=======
The ukui-control-center system D-Bus backend runs as root. Its setaptproxy(ip,
port, open) method performs no caller authentication or polkit authorization.
Any local user permitted to access the system bus can make the service create,
overwrite, or remove these root-managed files:
/etc/apt/apt.conf.d/80apt-proxy
/etc/profile.d/80apt-proxy.sh
The method inserts the caller-controlled ip and port strings into APT
configuration
and shell-script text without validating or escaping quotes, newlines, or other
configuration syntax. An unprivileged caller can therefore inject additional APT
directives and shell lines into files written by the root service.
APT supports command hooks such as Update::Pre-Invoke and DPkg::Pre-Invoke. An
injected hook can be executed as root during a later automatic or administrator-
initiated package operation. The profile file provides a second injection sink
because it can be sourced by login shells.
Calling setaptproxy(..., open=false) is also unauthenticated and can remove the
two
proxy files, allowing an unprivileged user to alter system-wide proxy behavior.
Verified and inferred impact
============================
The original reproduction verified the following behavior:
* An unprivileged uid 1000 user with no sudo or root credentials could call
setaptproxy().
* The method returned success.
* The root-owned /etc/apt/apt.conf.d/80apt-proxy file contained an additional
APT
hook directive supplied through a newline in the ip argument.
The subsequent root command-execution impact follows from the documented
behavior
of APT hooks when a root-owned apt update or package operation reads the
injected
configuration. This report does not include or execute that trigger.
Test environment from the original report
=========================================
* Ubuntu Kylin based on Ubuntu 26.04, UKUI desktop
* ukui-control-center 4.20.0.1-0ubuntu2
* amd64 virtual machine, 4 vCPUs and 4 GiB RAM
* Linux kernel 7.0.0
* Unprivileged user test, uid 1000, with no sudo or root credentials
* Distribution-provided python3 and python3-dbus
Safe static verification
========================
The following verification does not call the vulnerable method, write to /etc,
or
run APT. It is sufficient to confirm the vulnerable data flow in the published
source package.
1. Obtain ukui-control-center 4.20.0.1-0ubuntu2 from the Ubuntu Launchpad source
package page:
https://launchpad.net/ubuntu/+source/ukui-control-
center/4.20.0.1-0ubuntu2
2. Inspect registeredQDbus/conf/com.control.center.qt.systemdbus.service and
confirm that liblaunchSysDbus.so is started as root.
3. Inspect registeredQDbus/conf/com.control.center.qt.systemdbus.conf and
confirm
that the default policy permits calls to com.control.center.interface.
4. Inspect SysdbusRegister::setaptproxy() in
registeredQDbus/sysdbusregister.cpp.
The method does not obtain the D-Bus sender and does not call a polkit
helper.
5. Trace ip and port through QString::arg() into content_http, content_https,
profile_http, and profile_https without validation or escaping.
6. Confirm that those strings are written with QFile by the root service to the
two system paths listed above.
For dynamic confirmation, the Ubuntu Security Team should use an isolated
virtual
machine and a non-executable marker directive. The full original reproducer
should
be exchanged privately rather than attached to a public bug.
Actual result
=============
According to the original reproduction, an unprivileged D-Bus call returned true
and caused the root service to write attacker-influenced APT syntax into the
root-owned 80apt-proxy file. No authorization prompt or caller check occurred.
Expected result
===============
Only an explicitly authorized administrator should be able to change system-wide
APT and profile configuration. Host and port values must be parsed and validated
as data and must not be able to introduce additional APT directives or shell
lines.
An unprivileged caller must not be able to remove the system proxy files.
** Affects: ukui-control-center (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160491
Title:
ukui-control-center setaptproxy allows unauthenticated APT and profile
configuration injection
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ukui-control-center/+bug/2160491/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs