Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 613768 (CVE-2017-6590)

Summary: <gnome-extra/nm-applet-1.4.6-r1: may give access to local files during login screen in combination with lightdm or some other desktop managers
Product: Gentoo Security Reporter: Mart Raudsepp <leio>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://mail.gnome.org/archives/networkmanager-list/2017-March/msg00032.html
Whiteboard: B3 [glsa cve]
Package list:
=gnome-extra/nm-applet-1.4.6-r1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 611134    

Description Mart Raudsepp gentoo-dev 2017-03-25 11:11:46 UTC 
An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user. The exploitation requires physical access to the locked computer and the Wi-Fi must be turned on. An access point that lets you use a certificate to login is required as well, but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. One also can open some applications such as Firefox, which is useful for downloading malicious binaries. 

From https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321 additionally:

We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories.
We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system.

The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one.

Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-)

See this video for the PoC :
https://www.youtube.com/watch?v=Fp2lwRVg0l0
Comment 1 Mart Raudsepp gentoo-dev 2017-03-25 12:11:49 UTC 
commit 5c732474a68cdacc6cb2f17d60e7af9982c057f8
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sat Mar 25 14:07:13 2017 +0200

    gnome-extra/nm-applet: fix CVE-2017-6590, nma bindings and more
    
    Grab patches from upstream nm-1-4 branch for fixing broken NMA bindings,
    translations when used in gnome-control-center (gettext domain context issue),
    CVE-2017-6590 (a physical access login screen bypass issue with lightdm), and
    a certification file error message fix as requested by one of our users specifically.
    
    Thanks-to: Martin Mokrejš
    Gentoo-bug: 613646
    Gentoo-bug: 613768


Arches, please proceed. In addition to the security fix, previous stable nm-applet is a bit old for newer stable networkmanager too for more trouble-free functioning.
Comment 2 Agostino Sarubbo gentoo-dev 2017-03-25 14:44:17 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-04-01 16:09:14 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Mart Raudsepp gentoo-dev 2017-04-02 09:03:01 UTC 
cleanup done, 1.2.4 remains with keywords reduced to only ~ia64 ~sparc as they still haven't done bug 593496
Comment 5 Yury German Gentoo Infrastructure gentoo-dev 2017-04-02 12:42:44 UTC 
Arches and Maintainer(s). Thank you for your work.
New GLSA Request filed.

Going to leave in cleanup state until they complete the bug.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2017-07-04 21:42:33 UTC 
Arches and Maintainer(s), Thank you for your work.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:40:58 UTC 
This issue was resolved and addressed in
 GLSA 201707-09 at https://security.gentoo.org/glsa/201707-09
by GLSA coordinator Thomas Deutschmann (whissi).