Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 613768 (CVE-2017-6590) - <gnome-extra/nm-applet-1.4.6-r1: may give access to local files during login screen in combination with lightdm or some other desktop managers
Summary: <gnome-extra/nm-applet-1.4.6-r1: may give access to local files during login ...
Status: RESOLVED FIXED
Alias: CVE-2017-6590
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mail.gnome.org/archives/netwo...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on:
Blocks: gnome-3.22-stable
  Show dependency tree
 
Reported: 2017-03-25 11:11 UTC by Mart Raudsepp
Modified: 2017-07-08 12:40 UTC (History)
1 user (show)

See Also:
Package list:
=gnome-extra/nm-applet-1.4.6-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mart Raudsepp gentoo-dev 2017-03-25 11:11:46 UTC
An issue was discovered in network-manager-applet (aka network-manager-gnome) in Ubuntu 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10. A local attacker could use this issue at the default Ubuntu login screen to access local files and execute arbitrary commands as the lightdm user. The exploitation requires physical access to the locked computer and the Wi-Fi must be turned on. An access point that lets you use a certificate to login is required as well, but it's easy to create one. Then, it's possible to open a nautilus window and browse directories. One also can open some applications such as Firefox, which is useful for downloading malicious binaries. 

From https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321 additionally:

We just found a vulnerability in lightdm who could lead us to read files with lightdm permissions, an also write in some directories.
We were able to download a reverse_shell payload and execute it in order to gain a reverse shell as lightdm on a remote system.

The exploitation require a physical access to the locked computeur and the Wi-fi must be turned on. A access point who let you use a certificate to log-in is required as well but it's easy to create one.

Then, it's possible to open a nautilus window and browse directories. We also can open some application such as Firefox which is useful to download malicious binaries :-)

See this video for the PoC :
https://www.youtube.com/watch?v=Fp2lwRVg0l0
Comment 1 Mart Raudsepp gentoo-dev 2017-03-25 12:11:49 UTC
commit 5c732474a68cdacc6cb2f17d60e7af9982c057f8
Author: Mart Raudsepp <leio@gentoo.org>
Date:   Sat Mar 25 14:07:13 2017 +0200

    gnome-extra/nm-applet: fix CVE-2017-6590, nma bindings and more
    
    Grab patches from upstream nm-1-4 branch for fixing broken NMA bindings,
    translations when used in gnome-control-center (gettext domain context issue),
    CVE-2017-6590 (a physical access login screen bypass issue with lightdm), and
    a certification file error message fix as requested by one of our users specifically.
    
    Thanks-to: Martin Mokrejš
    Gentoo-bug: 613646
    Gentoo-bug: 613768


Arches, please proceed. In addition to the security fix, previous stable nm-applet is a bit old for newer stable networkmanager too for more trouble-free functioning.
Comment 2 Agostino Sarubbo gentoo-dev 2017-03-25 14:44:17 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-04-01 16:09:14 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Mart Raudsepp gentoo-dev 2017-04-02 09:03:01 UTC
cleanup done, 1.2.4 remains with keywords reduced to only ~ia64 ~sparc as they still haven't done bug 593496
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-02 12:42:44 UTC
Arches and Maintainer(s). Thank you for your work.
New GLSA Request filed.

Going to leave in cleanup state until they complete the bug.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2017-07-04 21:42:33 UTC
Arches and Maintainer(s), Thank you for your work.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-07-08 12:40:58 UTC
This issue was resolved and addressed in
 GLSA 201707-09 at https://security.gentoo.org/glsa/201707-09
by GLSA coordinator Thomas Deutschmann (whissi).