Firewall blocking desktop features

Oron Peled oron at actcom.co.il
Fri Sep 13 08:23:00 UTC 2013


On Friday 13 September 2013 01:51:00 drago01 wrote:
> On Fri, Sep 13, 2013 at 1:26 AM, Oron Peled <oron at actcom.co.il> wrote:
> >    - This means that any privileged service controlled by GUI client (e.g:
> >      NetworkManager) is still only as secure as it's controller (e.g:
> >      nm-applet).
> This is wrong. That's not how "controlling the service" works.

Care to explain?
 * Let's assume someone exploit a buffer overflow in nm-applet to execute
   arbitrary code.

 * Now she can ask (over dbus) from NM to do "legitimate" operations without
   the user consent/knowledge -- e.g: connect to some random-joe wireless
   network, etc. (btw, the user can still discover the truth via other
   client which isn't subverted -- like nmcli, the kde widget, etc.)

 * I don't claim this attack is easy, because the arbitrary code would
   have to hook into all relevant dbus callbacks for the wanted transaction
   to complete successfully, but I don't see any theoretical show-stopper.

 * IMO, all this just set some upper bound to our security expectations.
   Privilege separation of services into "controller-controlled" pair
   is an improvement over the previous state of affairs, but a
   "verified-good" controller can still become rogue during runtime
   due to a buffer overflow -- it than still have the same power
   it had before :-(

-- 
Oron Peled                                 Voice: +972-4-8228492
oron at actcom.co.il                  http://users.actcom.co.il/~oron
It's not the software that's free; it's you.
        - billyskank on Groklaw



More information about the devel mailing list