Public bug reported:
Summary
=======
The ukui-control-center system D-Bus backend runs as root and exposes the
setGrupPasswd() method. The method has two security issues that can be combined
by
an unprivileged local user:
1. Polkit authorization can be bypassed when the caller executable resolves to
/usr/bin/ukui-session-service. An unprivileged user can launch that
dynamically
linked executable with an LD_PRELOAD library whose constructor sends the
D-Bus
request. The D-Bus service sees the expected /proc/<pid>/exe path and skips
the
polkit check, even though attacker-controlled code issued the request.
2. After this check, caller-controlled strings are interpolated into a shell
command and passed to system() by the root service. The username and locale
are
unquoted, while a single quote can escape the quoting around the password.
The original reproduction confirmed arbitrary command execution as root from an
unprivileged uid 1000 account without sudo or root credentials.
The same executable-path authorization bypass is used by setGrupBootTime() and
setDefaultBootItem(). Both methods also interpolate the caller-controlled lang
argument into a root shell command without quoting.
Test environment
================
* Ubuntu Kylin based on Ubuntu 26.04, UKUI desktop
* ukui-control-center 4.20.0.1-0ubuntu2
* amd64 virtual machine, 4 vCPUs and 4 GiB RAM
* Linux kernel 7.0.0
* Unprivileged user test, uid 1000, with no sudo or root credentials
* /usr/bin/ukui-session-service from the ukui-service-manager package
Steps to reproduce safely
=========================
Perform this test only in a disposable virtual machine because setGrupPasswd()
is
intended to modify GRUB configuration.
1. Log in as an unprivileged user with no sudo or root credentials.
2. Prepare a harmless shared-library bridge whose constructor connects to the
system bus and calls:
destination: com.control.center.qt.systemdbus
object: /
interface: com.control.center.interface
method: setGrupPasswd
Use a username value that terminates the grub-password command and
runs only:
/usr/bin/id > /var/tmp/ukcc-grub-command-injection-proof
Use a non-sensitive dummy password, locale C, and status=true. Do not create
a
shell, change file modes, or access sensitive files.
3. Launch the trusted executable as the same unprivileged user with the harmless
bridge preloaded:
QT_QPA_PLATFORM=offscreen \
LD_PRELOAD=/tmp/ukcc-harmless-dbus-bridge.so \
/usr/bin/ukui-session-service
4. Inspect the marker:
ls -l /var/tmp/ukcc-grub-command-injection-proof
cat /var/tmp/ukcc-grub-command-injection-proof
5. Remove the bridge and marker after collecting the result. The marker is
root-owned, so administrative cleanup may be required.
The complete bridge source is intentionally not included in this public report.
It can be provided privately to reproduce the issue exactly.
Actual result
=============
callerPathCompare() accepts the request because /proc/<pid>/exe resolves to
/usr/bin/ukui-session-service. setGrupPasswd() therefore does not call polkit.
The root service passes the injected command to system(), and the disposable
marker contains output equivalent to:
uid=0(root) gid=0(root) groups=0(root)
The original full proof of concept obtained euid 0. Persistence and
sensitive-file
access details are intentionally omitted from this public report.
Expected result
===============
Every call that changes GRUB configuration must require a successful
authorization
decision for the actual D-Bus caller. No caller-controlled value should be
parsed
by a shell in the root service. Launching a trusted executable with injected
code
must not grant that code trusted access to privileged D-Bus methods.
** Affects: ukui-control-center (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160492
Title:
ukui-control-center setGrupPasswd permits polkit bypass and root
command injection
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ukui-control-center/+bug/2160492/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs