** Description changed: Oliver-Tobias Ripka reported a vulnerability in /etc/acpi/powerbtn.sh that could allow an attacker to execute arbitrary code as the user that is logged into the current X session. The prerequisites for the attack are as follows: 1.) The attacker must be able to run an application on the system. 2.) A power management daemon cannot be running. See $PMS in powerbtn.sh for the list of known daemons. 3.) powerbtn.sh must be triggered. This may happen by pressing a power button in a bare-metal installation or by virsh shutdown in a virtualized environment. Oliver-Tobias pointed us to this excerpt from line 40 of powerbtn.sh: su - $XUSER -c "eval $(echo -n 'export '; cat /proc/$(pidof kded4)/environ |tr '\0' '\n'|grep DBUS_SESSION_BUS_ADDRESS); qdbus org.kde.kded" - $(pidof kded4) returns the pid of any process(es) named kded4. Due to command - expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the + $(pidof kded4) returns the pid of any process(es) named kded4. Due to command + expansion, cat /proc/$(pidof kded4)/environ is ran as root, allowing the environ of any process, owned by any user, to be successfully read. The attacker may be running a "fake" kded4 binary which has a malicious DBUS_SESSION_BUS_ADDRESS environment variable. The variable could inject shell commands that would be expanded as $XUSER. This opens up the possibility of the attacker running code as $XUSER. The prerequisites listed above must be met in order for the vulnerable code to be exploited.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/893821 Title: Shell expansion may allow privilege boundary crossing To manage notifications about this bug go to: https://bugs.launchpad.net/acpid/+bug/893821/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs