[Secure-testing-team] Bug#853951: iio-sensor-proxy: configures dbus-daemon to be insecure

Simon McVittie smcv at debian.org
Thu Feb 2 12:22:27 UTC 2017 

Package: iio-sensor-proxy
Version: 2.0-3
Severity: critical
Tags: security
Justification: potential root security hole

Sorry for the 0-day public report, but this is already known to the public
via #debian-devel and
<https://lintian.debian.org/tags/dbus-policy-excessively-broad.html>.

iio-sensor-proxy has this:

  <!-- Anyone can talk to the main interface -->
  <policy context="default">
    <allow send_interface="net.hadess.SensorProxy"/>
    <allow send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_interface="org.freedesktop.DBus.Properties"/>
    <allow send_interface="org.freedesktop.DBus.Peer"/>

This does not do what it says in the comment. It allows every connection
to the system bus to send any message to the Properties interface on
any system bus service. If any system bus service has a property
that should only be set by root, everyone can now set it. This is Very Bad,
and I could easily imagine it causing a root security hole.

I'm assuming the intended policy was to put a
send_destination="net.hadess.SensorProxy" on everythng:

  <!-- Only root can own the service -->
  <policy user="root">
    <allow own="net.hadess.SensorProxy"/>
  </policy>

  <!-- Only Geoclue can access the compass -->
  <policy user="geoclue">
    <allow send_destination="net.hadess.SensorProxy" send_interface="net.hadess.SensorProxy.Compass" send_path="/net/hadess/SensorProxy/Compass"/>
    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Introspectable" send_path="/net/hadess/SensorProxy/Compass"/>
    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Properties" send_path="/net/hadess/SensorProxy/Compass"/>
    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Peer" send_path="/net/hadess/SensorProxy/Compass"/>
  </policy>

  <!-- Anyone can talk to the main interfaces -->
  <policy context="default">
    <allow send_destination="net.hadess.SensorProxy" send_interface="net.hadess.SensorProxy"/>
    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Introspectable"/>
    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Properties"/>
    <allow send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Peer"/>
    <deny send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Introspectable" send_path="/net/hadess/SensorProxy/Compass"/>
    <deny send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Properties" send_path="/net/hadess/SensorProxy/Compass"/>
    <deny send_destination="net.hadess.SensorProxy" send_interface="org.freedesktop.DBus.Peer" send_path="/net/hadess/SensorProxy/Compass"/>
  </policy>

Regards,
    S

More information about the Secure-testing-team mailing list