After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 534544 - fetching bogus D-Bus property crashes NetworkManager daemon
fetching bogus D-Bus property crashes NetworkManager daemon
Status: RESOLVED NOTGNOME
Product: NetworkManager
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: Dan Williams
Dan Williams
Depends on:
Blocks:
 
 
Reported: 2008-05-23 20:52 UTC by Ben Liblit
Modified: 2008-05-23 22:12 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
thread stack traces generated by NetworkManager's failure-logging system (3.19 KB, text/plain)
2008-05-23 20:54 UTC, Ben Liblit
Details

Description Ben Liblit 2008-05-23 20:52:03 UTC
Using D-Bus to request a non-existing property from a NetworkManager object crashes the NetworkManager daemon.  This allows any (non-privileged) user to kill NetworkManager, which in turn could conceivably have security implications.

I'm seeing this problem with the following possibly-relevant packages, all prebuilt and installed as Fedora 9 RPMs:

    NetworkManager-0.7.0-0.9.3.svn3623.fc9.i386
    dbus-1.2.1-1.fc9.i386
    dbus-glib-0.74-6.fc9.i386
    glib-1.2.10-29.fc9.i386

The problem is 100% reproducible using the following steps:

    1. Ensure that NetworkManager is running.

    2. Log on to the console.

    3. Run the following command as the console user:

          dbus-send --system --print-reply --type=method_call \
          --dest=org.freedesktop.NetworkManager \
          /org/freedesktop/NetworkManager \
          org.freedesktop.DBus.Properties.Get \
          string:org.freedesktop.NetworkManager string:State

    4. Run the following command as the console user, where "State" has
       been changed to "BogusPropertyName":

          dbus-send --system --print-reply --type=method_call \
          --dest=org.freedesktop.NetworkManager \
          /org/freedesktop/NetworkManager \
          org.freedesktop.DBus.Properties.Get \
          string:org.freedesktop.NetworkManager string:BogusPropertyName

The first "dbus-send" command successfully fetches the State property.  However, the second "dbus-send" command fails, reporting "Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)".  Listing processes using "ps" shows that the NetworkManager daemon is no longer running.

NetworkManager should be robust in the face of arbitrary abuse from non-privileged users.  The second "dbus-send" command should have reported some sort of missing-property error but should not have crashed the daemon.

I have no idea whether this vulnerability is NetworkManager-specific or would
affect other D-Bus services as well.  I'm reporting it against NetworkManager
because that's where I'm seeing it.
Comment 1 Ben Liblit 2008-05-23 20:54:01 UTC
Created attachment 111437 [details]
thread stack traces generated by NetworkManager's failure-logging system
Comment 2 Dan Williams 2008-05-23 22:02:03 UTC
Thanks for the report; bug is actually in dbus-glib and now filed (with patch) here:

https://bugs.freedesktop.org/show_bug.cgi?id=16079

pretty critical though, but there's not much NM can do about it.
Comment 3 Ben Liblit 2008-05-23 22:12:19 UTC
Thanks for the speedy response.