Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20190704125914.GD9530@f195.suse.de>
Date: Thu, 4 Jul 2019 14:59:14 +0200
From: Matthias Gerstner <mgerstner@...e.de>
To: oss-security@...ts.openwall.com
Subject: deepin-clone: various symlink attacks

Hello,

deepin-clone [1] is a command line and graphical disk backup utility
that is part of the deepin desktop environment (a desktop environment
focused on Chinese users).

In the course of a review [2] of polkit privileges used by the
application the following major security issues have been found:

CVE-2019-13227) in GUI mode deepin-clone creates
  `/tmp/.deepin-clone.log` as root and follows symlinks there.
  
CVE-2019-13226) `Helper::temporaryMountDevice()` uses a predictable path
  `/tmp/.deepin-clone/mount/<block-dev-basename>` to temporarily mount a
  file system there. These paths can be prepared by an attacker and
  symlinks will be followed during mounting. If the attacker wins a race
  condition by quickly entering the mount point then it can also prevent
  the following unmount. This logic can e.g. be triggered by running
  `deepin-clone -i /dev/sdX`.

  An attacker can thus cause the file system to be permanently mounted
  at an arbitrary location in the file system.

CVE-2019-13229) `Helper::getPartitionSizeInfo()` uses /tmp/partclone.log
  as a fixed path during execution of partclone. The same issues about
  symlink attacks etc.  like in 1) apply here.

CVE-2019-13228) similarly in `BootDoctor::fix()` the fixed path
  `/tmp/repo.iso` is created and the fixed directory /tmp/.deepin-clone
  is used. The same concerns as in 1) and 3) apply. By winning a race
  condition to replace the `/tmp/repo.iso` symlink by an attacker
  controlled iso file further privilege escalation may be possible.

The issues have been fixed via the upstream commit [3].

Best Regards

Matthias

[1]: https://github.com/linuxdeepin/deepin-clone
[2]: https://bugzilla.suse.com/show_bug.cgi?id=1130388
[3]: https://github.com/linuxdeepin/deepin-clone/commit/e079f3e2712b4f8c28e3e63e71ba1a1f90fce1ab

-- 
Matthias Gerstner <matthias.gerstner@...e.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Mary Higgins, Sri Rasiah
HRB 21284 (AG Nuernberg)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.