Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: Net::DBus::Object does not correctly validate requested method name to invoke
https://bugzilla.redhat.com/show_bug.cgi?id=499243
Summary: Net::DBus::Object does not correctly validate requested method name to invoke Product: Fedora Version: rawhide Platform: All OS/Version: Linux Status: NEW Keywords: Security Severity: medium Priority: low Component: perl-Net-DBus AssignedTo: cweyl@alumni.drew.edu ReportedBy: berrange@redhat.com QAContact: extras-qa@fedoraproject.org CC: berrange@redhat.com, cweyl@alumni.drew.edu, fedora-perl-devel-list@redhat.com Classification: Fedora Target Release: ---
Description of problem: There is a security issue in the implementation of Net::DBus::Object.
In the place where it dispatches RPC calls, it simply does
$self->can($method_name)
so, it allows the dbus client to invoke any method that the service side object implements. Many service implementors would like ability to restrict this to just allow methods they explicitly export in the introspection XML data.
Furthermore, the current check also allows direct invocation of several internal impl methods of Net::DBus::Object itself.
This allows a remote client to do a denial of service by calling 'disconnect' which unregisters the object from the bus. It also allows the remote client to emit signals on the object which others clients may then act on.
For the dbus 'system' bus, the service can be running as root, and client as an unprivileged user, so this flaw may allow a client to run things they shouldn't. While impact of being able to emit signals / invoke improper methods *may* be limited by the need to have ACLs registered with dbus system bus instance, the degree of protection depends on how well the app author wrote their ACLs. So one can't rely on this.
For the dbus 'session' bus, everything is running as unprivileged user, so impact is reasonably low, denial of service.
This issue is already public via upstream bug report
https://rt.cpan.org/Ticket/Display.html?id=45034
And I have a patch available which should resolve it
http://hg.berrange.com/libraries/net-dbus--devel?cs=be26112c5fdd
Version-Release number of selected component (if applicable):
How reproducible: Always
Steps to Reproduce: 1. Run the 'examples/example-service.pl' file from source tar.gz 2. In another terminal run
$ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello"
Actual results: The 'disconnect' method was allowed
$ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.61 -> dest=:1.62 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect method return sender=:1.61 -> dest=:1.63 reply_serial=2 $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" Error org.freedesktop.DBus.Error.UnknownMethod: Method "HelloWorld" with signature "s" on interface "org.designfu.SampleInterface" doesn't exist
Expected results: The 'disconnect' method should be denied
$ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.65 -> dest=:1.66 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect Error org.freedesktop.DBus.Error.Failed: No such method SomeObject->disconnect $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.65 -> dest=:1.68 reply_serial=2 array [ string "Hello" string " from example-service.pl" ]
Additional info: Bug affects all Fedora releases.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=499243
--- Comment #2 from Bug Zapper fedora-triage-list@redhat.com 2010-04-27 10:08:37 EDT ---
This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'.
Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=499243
Bug Zapper fedora-triage-list@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |WONTFIX
--- Comment #3 from Bug Zapper fedora-triage-list@redhat.com 2010-06-28 08:23:07 EDT ---
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.
perl-devel@lists.fedoraproject.org