GNOME Bugzilla – Bug 534544
fetching bogus D-Bus property crashes NetworkManager daemon
Last modified: 2008-05-23 22:12:19 UTC
Using D-Bus to request a non-existing property from a NetworkManager object crashes the NetworkManager daemon. This allows any (non-privileged) user to kill NetworkManager, which in turn could conceivably have security implications. I'm seeing this problem with the following possibly-relevant packages, all prebuilt and installed as Fedora 9 RPMs: NetworkManager-0.7.0-0.9.3.svn3623.fc9.i386 dbus-1.2.1-1.fc9.i386 dbus-glib-0.74-6.fc9.i386 glib-1.2.10-29.fc9.i386 The problem is 100% reproducible using the following steps: 1. Ensure that NetworkManager is running. 2. Log on to the console. 3. Run the following command as the console user: dbus-send --system --print-reply --type=method_call \ --dest=org.freedesktop.NetworkManager \ /org/freedesktop/NetworkManager \ org.freedesktop.DBus.Properties.Get \ string:org.freedesktop.NetworkManager string:State 4. Run the following command as the console user, where "State" has been changed to "BogusPropertyName": dbus-send --system --print-reply --type=method_call \ --dest=org.freedesktop.NetworkManager \ /org/freedesktop/NetworkManager \ org.freedesktop.DBus.Properties.Get \ string:org.freedesktop.NetworkManager string:BogusPropertyName The first "dbus-send" command successfully fetches the State property. However, the second "dbus-send" command fails, reporting "Error org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)". Listing processes using "ps" shows that the NetworkManager daemon is no longer running. NetworkManager should be robust in the face of arbitrary abuse from non-privileged users. The second "dbus-send" command should have reported some sort of missing-property error but should not have crashed the daemon. I have no idea whether this vulnerability is NetworkManager-specific or would affect other D-Bus services as well. I'm reporting it against NetworkManager because that's where I'm seeing it.
Created attachment 111437 [details] thread stack traces generated by NetworkManager's failure-logging system
Thanks for the report; bug is actually in dbus-glib and now filed (with patch) here: https://bugs.freedesktop.org/show_bug.cgi?id=16079 pretty critical though, but there's not much NM can do about it.
Thanks for the speedy response.