Firewall blocking desktop features
oron at actcom.co.il
Fri Sep 13 08:23:00 UTC 2013
On Friday 13 September 2013 01:51:00 drago01 wrote:
> On Fri, Sep 13, 2013 at 1:26 AM, Oron Peled <oron at actcom.co.il> wrote:
> > - This means that any privileged service controlled by GUI client (e.g:
> > NetworkManager) is still only as secure as it's controller (e.g:
> > nm-applet).
> This is wrong. That's not how "controlling the service" works.
Care to explain?
* Let's assume someone exploit a buffer overflow in nm-applet to execute
* Now she can ask (over dbus) from NM to do "legitimate" operations without
the user consent/knowledge -- e.g: connect to some random-joe wireless
network, etc. (btw, the user can still discover the truth via other
client which isn't subverted -- like nmcli, the kde widget, etc.)
* I don't claim this attack is easy, because the arbitrary code would
have to hook into all relevant dbus callbacks for the wanted transaction
to complete successfully, but I don't see any theoretical show-stopper.
* IMO, all this just set some upper bound to our security expectations.
Privilege separation of services into "controller-controlled" pair
is an improvement over the previous state of affairs, but a
"verified-good" controller can still become rogue during runtime
due to a buffer overflow -- it than still have the same power
it had before :-(
Oron Peled Voice: +972-4-8228492
oron at actcom.co.il http://users.actcom.co.il/~oron
It's not the software that's free; it's you.
- billyskank on Groklaw
More information about the devel