D-Bus variant recursion vulnerability

Security Advisory

Summary           : Infinite recursion in message validation
                    Protocol design error
Date              : 11 December 2010
Affected versions : dbus 1.4.0, dbus 1.2.24 and earlier
Impact            : Local denial of service
CVE ID            : CVE-2010-4352
ID                : FreeDesktop bug #32321

Details

The D-Bus message format provides four different container types: array, structure, dictionary entry and variant. The format specification explicitly forbids more than 32 level of nesting for arrays as well as for structures, inside a message signature. Dictionary entries can also not be nested to more than 32 levels (within a single signature) as they can only be inside arrays. There is however no limit on nesting variants, other than the total message size limit.

When a D-Bus message is received, libdbus will always check that the message is well-formatted. In doing so, it will recursively check any variant found in the message. If the message contains an excessive number of nested variants, function calls recursion will get too deep, the call stack will overflow, and the process will experience a segmentation fault.

Impact

If successful, a malicious user could use this vulnerability to crash the bus daemon. This is a local denial of service attack in the case of the system bus. Depending on which specific services rely on D-Bus, the consequences might range from causing a minor inconvenience, or to rendering the system unusable.

Furthermore, if bus daemon would not crash, it might be possible to crash any process connected to the bus using libdbus. This attack remains hypothetical at this point however.

This attack cannot be exploited to run arbitrary code. This attack cannot be exploited remotely.

Threat mitigation

A user account is needed to carry this attack.

Paradoxically, this attack is more likely to be successful if the bus daemon is a position independent executable (PIE). While PIE is used as a security precaution against several classes of code execution vulnerabilities, it usually makes the call stack space smaller, which makes this attack easier. Many GNU/Linux distributions compile the bus daemon (or all executables) as PIE nowadays.

Workarounds

This attack can be thwarted by reducing the maximum size of D-Bus messages. However, the limit may be so smaller than some D-Bus services require. On Debian Squeeze for i386, a message of about 110 kb is big enough to crash the bus.

Solution

D-Bus release version 1.4.1 includes a fix for this issue.

The D-Bus protocol needs to be updated to strictly limit nesting of variants. The reference implementation has been changed that way.

Credits

This vulnerability was discovered by Rémi Denis-Courmont.

References

D-Bus protocol specification
http://dbus.freedesktop.org/doc/dbus-specification.html
D-Bus (freedesktop.org)
http://dbus.freedesktop.org/
Rémi Denis-Courmont
http://www.remlab.net/

History

11 December 2010
Initial advisory
Bug reported
16 December 2010
CVE reference assigned
20 December 2010
D-Bus 1.4.1 released with fix