Public bug reported:

Summary
=======

The ukui-control-center system D-Bus backend runs as root and exposes the
setGrupPasswd() method. The method has two security issues that can be combined 
by
an unprivileged local user:

1. Polkit authorization can be bypassed when the caller executable resolves to
   /usr/bin/ukui-session-service. An unprivileged user can launch that 
dynamically
   linked executable with an LD_PRELOAD library whose constructor sends the 
D-Bus
   request. The D-Bus service sees the expected /proc/<pid>/exe path and skips 
the
   polkit check, even though attacker-controlled code issued the request.
2. After this check, caller-controlled strings are interpolated into a shell
   command and passed to system() by the root service. The username and locale 
are
   unquoted, while a single quote can escape the quoting around the password.

The original reproduction confirmed arbitrary command execution as root from an
unprivileged uid 1000 account without sudo or root credentials.

The same executable-path authorization bypass is used by setGrupBootTime() and
setDefaultBootItem(). Both methods also interpolate the caller-controlled lang
argument into a root shell command without quoting.

Test environment
================

* Ubuntu Kylin based on Ubuntu 26.04, UKUI desktop
* ukui-control-center 4.20.0.1-0ubuntu2
* amd64 virtual machine, 4 vCPUs and 4 GiB RAM
* Linux kernel 7.0.0
* Unprivileged user test, uid 1000, with no sudo or root credentials
* /usr/bin/ukui-session-service from the ukui-service-manager package

Steps to reproduce safely
=========================

Perform this test only in a disposable virtual machine because setGrupPasswd() 
is
intended to modify GRUB configuration.

1. Log in as an unprivileged user with no sudo or root credentials.
2. Prepare a harmless shared-library bridge whose constructor connects to the
   system bus and calls:

       destination: com.control.center.qt.systemdbus
       object:      /
       interface:   com.control.center.interface
       method:      setGrupPasswd

   Use a username value that terminates the grub-password command and
runs only:

       /usr/bin/id > /var/tmp/ukcc-grub-command-injection-proof

   Use a non-sensitive dummy password, locale C, and status=true. Do not create 
a
   shell, change file modes, or access sensitive files.
3. Launch the trusted executable as the same unprivileged user with the harmless
   bridge preloaded:

       QT_QPA_PLATFORM=offscreen \
       LD_PRELOAD=/tmp/ukcc-harmless-dbus-bridge.so \
       /usr/bin/ukui-session-service

4. Inspect the marker:

       ls -l /var/tmp/ukcc-grub-command-injection-proof
       cat /var/tmp/ukcc-grub-command-injection-proof

5. Remove the bridge and marker after collecting the result. The marker is
   root-owned, so administrative cleanup may be required.

The complete bridge source is intentionally not included in this public report.
It can be provided privately to reproduce the issue exactly.

Actual result
=============

callerPathCompare() accepts the request because /proc/<pid>/exe resolves to
/usr/bin/ukui-session-service. setGrupPasswd() therefore does not call polkit.
The root service passes the injected command to system(), and the disposable
marker contains output equivalent to:

    uid=0(root) gid=0(root) groups=0(root)

The original full proof of concept obtained euid 0. Persistence and 
sensitive-file
access details are intentionally omitted from this public report.

Expected result
===============

Every call that changes GRUB configuration must require a successful 
authorization
decision for the actual D-Bus caller. No caller-controlled value should be 
parsed
by a shell in the root service. Launching a trusted executable with injected 
code
must not grant that code trusted access to privileged D-Bus methods.

** Affects: ukui-control-center (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160492

Title:
  ukui-control-center setGrupPasswd permits polkit bypass and root
  command injection

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ukui-control-center/+bug/2160492/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to