Please do not reply directly to this email. All additional comments should be made in the comments box of this bug. Summary: Net::DBus::Object does not correctly validate requested method name to invoke https://bugzilla.redhat.com/show_bug.cgi?id=499243 Summary: Net::DBus::Object does not correctly validate requested method name to invoke Product: Fedora Version: rawhide Platform: All OS/Version: Linux Status: NEW Keywords: Security Severity: medium Priority: low Component: perl-Net-DBus AssignedTo: cweyl@xxxxxxxxxxxxxxx ReportedBy: berrange@xxxxxxxxxx QAContact: extras-qa@xxxxxxxxxxxxxxxxx CC: berrange@xxxxxxxxxx, cweyl@xxxxxxxxxxxxxxx, fedora-perl-devel-list@xxxxxxxxxx Classification: Fedora Target Release: --- Description of problem: There is a security issue in the implementation of Net::DBus::Object. In the place where it dispatches RPC calls, it simply does $self->can($method_name) so, it allows the dbus client to invoke any method that the service side object implements. Many service implementors would like ability to restrict this to just allow methods they explicitly export in the introspection XML data. Furthermore, the current check also allows direct invocation of several internal impl methods of Net::DBus::Object itself. This allows a remote client to do a denial of service by calling 'disconnect' which unregisters the object from the bus. It also allows the remote client to emit signals on the object which others clients may then act on. For the dbus 'system' bus, the service can be running as root, and client as an unprivileged user, so this flaw may allow a client to run things they shouldn't. While impact of being able to emit signals / invoke improper methods *may* be limited by the need to have ACLs registered with dbus system bus instance, the degree of protection depends on how well the app author wrote their ACLs. So one can't rely on this. For the dbus 'session' bus, everything is running as unprivileged user, so impact is reasonably low, denial of service. This issue is already public via upstream bug report https://rt.cpan.org/Ticket/Display.html?id=45034 And I have a patch available which should resolve it http://hg.berrange.com/libraries/net-dbus--devel?cs=be26112c5fdd Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Run the 'examples/example-service.pl' file from source tar.gz 2. In another terminal run $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" Actual results: The 'disconnect' method was allowed $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.61 -> dest=:1.62 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect method return sender=:1.61 -> dest=:1.63 reply_serial=2 $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" Error org.freedesktop.DBus.Error.UnknownMethod: Method "HelloWorld" with signature "s" on interface "org.designfu.SampleInterface" doesn't exist Expected results: The 'disconnect' method should be denied $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.65 -> dest=:1.66 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.disconnect Error org.freedesktop.DBus.Error.Failed: No such method SomeObject->disconnect $ dbus-send --session --print-reply --dest=org.designfu.SampleService /SomeObject org.designfu.SampleInterface.HelloWorld "string:hello" method return sender=:1.65 -> dest=:1.68 reply_serial=2 array [ string "Hello" string " from example-service.pl" ] Additional info: Bug affects all Fedora releases. -- Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl Fedora-perl-devel-list mailing list Fedora-perl-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list
