← Back to team overview

dx-packages team mailing list archive

[Bug 2024182] Re: GHSL-2023-139: use-after-free in user.c

 

This bug was fixed in the package accountsservice - 23.13.9-2ubuntu2

---------------
accountsservice (23.13.9-2ubuntu2) mantic; urgency=medium

  * SECURITY UPDATE: use-after-free in user.c (LP: #2024182)
    - debian/patches/0010-set-language.patch: updated to properly return
      from functions after throw_error() has been called.
    - CVE-2023-3297

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Wed, 28 Jun 2023
11:10:09 -0400

** Changed in: accountsservice (Ubuntu Mantic)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to accountsservice in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/2024182

Title:
  GHSL-2023-139: use-after-free in user.c

Status in accountsservice package in Ubuntu:
  Fix Released
Status in accountsservice source package in Focal:
  Fix Released
Status in accountsservice source package in Jammy:
  Fix Released
Status in accountsservice source package in Kinetic:
  Fix Released
Status in accountsservice source package in Lunar:
  Fix Released
Status in accountsservice source package in Mantic:
  Fix Released

Bug description:
  # GitHub Security Lab (GHSL) Vulnerability Report, accountsservice:
  `GHSL-2023-139`

  The [GitHub Security Lab](https://securitylab.github.com) team has
  identified a potential security vulnerability in
  [accountsservice](https://code.launchpad.net/ubuntu/+source/accountsservice).

  We are committed to working with you to help resolve this issue. In
  this report you will find everything you need to effectively
  coordinate a resolution of this issue with the GHSL team.

  If at any point you have concerns or questions about this process,
  please do not hesitate to reach out to us at `securitylab@xxxxxxxxxx`
  (please include `GHSL-2023-139` as a reference).

  If you are _NOT_ the correct point of contact for this report, please
  let us know!

  ## Summary

  An unprivileged local attacker can trigger a use-after-free
  vulnerability in accountsservice by sending a D-Bus message to the
  accounts-daemon process.

  ## Product

  accountsservice

  ## Tested Version

  [22.08.8-1ubuntu7](https://launchpad.net/ubuntu/+source/accountsservice/22.08.8-1ubuntu7)

  The bug is easier to observe on Ubuntu 23.04 than on Ubuntu 22.04 LTS,
  but it is present on both.

  ## Details

  ### Use-after-free when `throw_error` is called (`GHSL-2023-139`)

  After receiving a D-Bus [method
  call](https://dbus.freedesktop.org/doc/dbus-
  specification.html#message-protocol-types), a D-Bus server is expected
  to send either a `METHOD_RETURN` or a `ERROR` message back to the
  client, _but not both_. This is done incorrectly in several places in
  accountsservice. For example, in
  [`user_change_language_authorized_cb`](https://git.launchpad.net/ubuntu/+source/accountsservice/tree/debian/patches/0010-set-
  language.patch?h=import/22.08.8-1ubuntu7#n427):

  ```c
  static void
  user_change_language_authorized_cb (Daemon                *daemon,
                                      User                  *user,
                                      GDBusMethodInvocation *context,
                                      gpointer               data)

  {
          const gchar *language = data;

          if (!user_HOME_available (user)) {

                  /* SetLanguage was probably called from a login greeter,
                     and HOME not mounted and/or not decrypted.
                     Hence don't save anything, or else accountsservice
                     and ~/.pam_environment would become out of sync. */
                  throw_error (context, ERROR_FAILED, "not access to HOME yet so language not saved");  <===== 1
                  goto out;
          }

          <snip>

  out:
          accounts_user_complete_set_language (ACCOUNTS_USER (user), context);  <===== 2
  }
  ```

  If `user_HOME_available` returns an error, then `throw_error` is
  called at 1 to send an `ERROR` message, but a regular `METHOD_RETURN`
  is also sent at 2. This is incorrect D-Bus protocol, but the more
  serious problem is that it causes a use-after-free because both
  `throw_error` and `accounts_user_complete_set_language` decrease the
  reference count on `context`. In other words, `context` is freed by
  `throw_error` and a UAF occurs in
  `accounts_user_complete_set_language`.

  An attacker can trigger the bug above by causing `user_HOME_available`
  to fail, which they can do by deleting all the files from their home
  directory. But there are other incorrect uses of `throw_error` in
  `user.c` which are less inconvenient to trigger. For example, this
  command triggers a call to `throw_error` in `user_update_environment`
  due to the invalid characters in the string.

  ```bash
  dbus-send --system --print-reply --dest=org.freedesktop.Accounts /org/freedesktop/Accounts/User`id -u` org.freedesktop.Accounts.User.SetLanguage string:'**'
  ```

  On Ubuntu 23.04, the above command causes `accounts-daemon` to crash
  with a `SIGSEGV`. But on Ubuntu 22.04 LTS it doesn't cause any visible
  harm. The difference is due to a recent [change in
  GLib's](https://gitlab.gnome.org/GNOME/glib/-/commit/69e9ba80e2f4d2061a1a68d72bae1c32c1e4f8fa)
  memory allocation: older versions of GLib used the "slice" allocator,
  but newer version uses the system allocator. The system allocator
  trashes the memory when it's freed in a way that causes the use-after-
  free to trigger a SIGSEGV, whereas the "slice" allocator doesn't trash
  the memory so the UAF goes unnoticed.

  #### Impact

  Exploitation is likely to be difficult, but this bug could potentially
  enable a local unprivileged attacker to gain root privileges.

  #### Remediation

  Always return immediately after calling `throw_error`. For example, it
  is done correctly in `user_change_background_file_authorized_cb`:

  ```c
  if (type != G_FILE_TYPE_REGULAR) {
          g_debug ("not a regular file\n");
          throw_error (context, ERROR_FAILED, "file '%s' is not a regular file", filename);
          return;
  }
  ```

  ## GitHub Security Advisories

  We recommend you create a private [GitHub Security
  Advisory](https://help.github.com/en/github/managing-security-
  vulnerabilities/creating-a-security-advisory) for this finding. This
  also allows you to invite the GHSL team to collaborate and further
  discuss this finding in private before it is
  [published](https://help.github.com/en/github/managing-security-
  vulnerabilities/publishing-a-security-advisory).

  ## Credit

  This issue was discovered and reported by GHSL team member
  [@kevinbackhouse (Kevin
  Backhouse)](https://github.com/kevinbackhouse).

  ## Contact

  You can contact the GHSL team at `securitylab@xxxxxxxxxx`, please
  include a reference to `GHSL-2023-139` in any communication regarding
  this issue.

  ## Disclosure Policy

  This report is subject to our [coordinated disclosure
  policy](https://securitylab.github.com/advisories#policy).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182/+subscriptions