Sl. No.

Revision No.

Nature of Modification

Modified by

1.

1.0

Initial Version.

-

Audit Objective

Perform Security Audit of Gnome 2.0

Basis of Audit

Approved Gnome 2.0 Security Audit Plan

Auditors

Sun-Gnome Security Audit Team

Audit Period

22 April 2002 to 30 June 2002

Source Base

Gnome Community CVS

[Components got audited against source of a specific date.]

No. Of Components covered

44

Audit Methods

Audit Tools/Checklist

No.

Component

Security Category

Remarks

1

gnome-pty-helper

SUID program

 -

2

bonobo-activation server

daemon

This component will not be audited since any un-authenticated incoming connections or un-trusted data does not go through the daemon.

3

gconfd daemon

daemon

-

4

esound daemon

daemon

The audit of this component was decided to be of lower priority based on telecon with John Fischer.

5

gnome2-settings daemon

daemon

-

6

gnome-session

daemon

-

7

bonobo-activation

library

This component will not be audited since any un-authenticated incoming connections or un-trusted data does not go through the library.

8

bonoboui

library

This component will not be audited since any un-authenticated incoming connections or un-trusted data does not go through the library.

9

ORBit : linc

library

-

10

ORBit : ORBit2

library

-

11

libORBitCosNaming

library

-

12

LibIDL

library

libIDL is not necessary to audit because it's only used in the IDL compiler.

13

libgnome

library

-

14

libgnomeui

library

The audit deferred since this is a GUI library.

15

libgnomecanvas

library

The audit deferred since this is a GUI library.

16

libgnome-desktop

library

The audit deferred since this is a GUI library that has largely untested APIs (at the time of audit).

17

gconf

library

-

18

gnome-vfs

library

-

19

libpanel-applet

library

-

20

libgnomeprint

library

Deferred since this component is currently not used in GNOME2 (at the time of audit).

21

libgnomeprintui

library

Deferred since this component is currently not used in GNOME2 (at the time of audit).

22

nautilus

application

-

23

panel

application

-

24

session properties

application

-

25

gperfmeter

application

Decided not to audit since this only reads & displays information.

26

gnome-control-center

application

-

27

control center capplets

application

-

28

gsearchtool

application

-

29

gdict

application

-

30

cd-player applet

applet daemon

-

31

pager applet

applet daemon

-

32

tasklist applet

applet daemon

-

33

gdict applet

applet daemon

-

34

mini-commander

applet daemon

-

35

screenshooter

applet daemon

-

36

stockticker

applet daemon

-

37

GKB international

applet daemon

-

38

Fish Applet

applet daemon

-

39

gweather

applet daemon

-

40

Gnome files

(resource, config, temporary files)

General Gnome.

-

No.

Component

Security Category

1

xscreensaver

SUID program

2

gnome-print-manager-remote

SUID program

3

gnome-xml

library

4

libxslt

library

5

libzvt

library

6

eel

library

7

sm-proxy

daemon

8

gnome-login-check

application

9

gnome-print-manager

application

10

CD Player

application

11

gnome-terminal

application

12

Yelp/Scrollkeeper

application

13

gprocview

application

14

System Log Monitor

application

15

System Details

application

Activity

Security Audit of Gnome 2.0 Components

Auditors

Sun-Gnome Security Audit Team

Audit Period

1st May 2002 to 30 June 2002

No. Of components audited

44

Sl. No.

Component

Vulnerability

Bugzilla Bug Id

Proposed Action Plan

1

Gnome-control-center 
network preferences capplet

 
Password might get exposed through gnome-network-properties capplet. 

The password is being taken by the application and it is not encrypted. Finally this gets stored under a configuration directory ~home_dir/.gconf in clear text form. 

Nautilus, gnome-vfs, gweather applet & stockticker applet then use this password. 

85559

Prompt for the user password the first time the user connects to the proxy. Reuse it during the session for subsequent connections. 

The current option to save password to disk can also be supported.

2

linc / gnome-login-check

 
DOS attack on /tmp/orbit-$USER 

orbit-<user> directory being created in /tmp directory 

When a user logs in, an orbit-<user> directory is created in /tmp directory with read-write permissions only for the user.   Since this is in /tmp, an attacker can create the directory if it does not exist especially after a system - reboot, where the /tmp is cleaned up. 

After such a directory is created, the valid user logins to the desktop will fail. Only gnome-session and smproxy of the particular user will come up. 

This is a denial of service attack. The solution is to create this user specific directory in a secure directory. 

84110

Code added to scan /tmp/orbit-$USER*, and if no directory with suitable permissions is found, we create one, re-scan and select the first suitable match. New API to allow bonobo-activation to get this information

3

gnome-print-manager-remote 
printman

 
The gnome-print-manager-remote needs to be setuid root only. The current setgid root not required. And also, need to install the setuid program in libexecdir directory. 

Also the tool should only use /var/spool and not /usr/spool as /usr/spool is a symbolic link to /var/spool. 

86328

Modified to make the executable gnome-print-manager-remote to be setuid root only and it is installed in libexecdir directory. Also, the usage of /usr/spool in the code should be replaced with /var/spool.

4

gnome-cd

 
CDDB configuration directory is being created with `775' permission. 

The configuration directory `.cddbslave', under user's home directory, has been given `775' permission. The directory becomes accessible to the group if the home directory has read permissions. On Solaris, the home directory is created with `755' permissions whereas on Linux home directories are created with `700' permission. 

87435

 
Permissions should be changed to `755' or `700'.

5

libgnome

 
gnome_execute_async_with_env_fds( ) in gnome-exec.c is a libgnome call which provide the interface to fork and exec another program for gnome applications. 

In this function after fork (), the function makes a chdir call to exec the program in a safe directory. The return value of chdir( ) is not checked after fork( ). If the call fails, the child process may be executed in the wrong directory. 

87104

The return value of the chdir () call is checked. In case of failure the process exits.

6

gnome-xml

 
Possibility of a buffer overflow in sprintf () in xmlHTMLPrintFileInfo( ) in xmllint.c 

This sprintf function copies the input filename which gnome-xml receives as command line input to a destination buffer, which is 50,000 characters without proper bound checking. Since the filename can be a non-local URI, this can turn out be vulnerability. 

85746

Replace sprintf () with snprintf() specifying the proper number of characters to be copied, thereby avoiding buffer overflow.

7

gnome-xml

 
nanoftp in gnome-xml takes in user name and password through environment variables. FTP_PROXY - ftp_proxy_user - ftp_proxy_password.

85746

gnome-xml could additionally provide support to prompt the user for password for the ftp.

8

gnome-login-check

 
Usage of 'system ()' call without specifying absolute path for commands. 

2 system () calls are used main () in gnome-login-check.c with 'rm' and 'rm -rf' as parameters without the absolute path of these commands. 

85376

Replace the use system () call to execute "rm" * "rm -rf" with the remove () system call.

9

gnome-panel

 
The screenshot applet uses /tmp to store the intermediate screenshot before it is saved. 

The intermediate screenshot is stored in /tmp as a unique dir named gnome-panel-screenshot-<random-no.> This has 755 permissions. The screenshot saved within this dir is named Screenshot.png and created with permissions 644. 

87259

Screenshots could be private info that ideally should not be readable by others. The dir & screenshot.png both need to be created with `600' permission.

10

gnome-session

Session-manager opens listening sockets in /tmp with rwxrwxrwx permissions. 

85375

 
The socket is created using ICElib calls and not directly by the gnome-session-manager. There are no options to specify a secure directory or proper permissions. 

One possible approach to workaround this is to move the created socket to a secure directory and modify the permissions of the socket. 

11

gnome-vfs

Currently, in the VF module, the cde menu icon cache file is saved in /tmp with 777 permissions. 

This file does not change too much and should ideally not be tampered with. Hence it is better if it is moved to some user-specific directory.

87267

This has to be moved to ~user/.gnome and named as ~/.gnome/g-cdeiconnames and created with 644 permissions.

12

Nautilus

The per-user -. Trash is being created with 755 permissions. There?s a bug open already for this in bugzilla. But, the current fix is partial in the sense that when the home directory is located on other device, ?.Trash? is created with 700.

46475

Re-open this bug. Submit a patch such that gnome-vfs returns a 700 ?.Trash? directory uniformly, irrespective of where the home dir is located.

13

gnome-session

 
In remote.c in remote_start( ) execlp function calls RSHCMD which is defined in remote.h as "rsh" ( depends on PATH ). This can turn out to be dangerous since rsh executes a command on remote host. 

85377

Since the location of 'rsh' is predictable for Linux and Solaris, the full path could be specified.

Caveat: rsh is not portable. RSHCMD will need to be defined in an OS specific way. 

14

gnome-system-log

gnome-system-log application, can be used to specify an action to take place (say, open gnome-terminal, open gedit etc.,).  This specified "action" is currently being executed using system() call. Probably a fork() / execlp() combination is better than system() call as the system () call is prone to timing issues.  First a shell is spawned, and then a process is executed with a small time gap in between.  It is possible that the program being executed may be modified during this small time gap. 

87110

Replace the system ( ) call with fork() and execlp().

15

gprocview

 
Usage of popen() and system() calls without specifying the full path. 

This application is often executed by sysadmin as root. And if the PATH variable is poorly set, there is a possibility off a severe security breach. 

bugtraq id is 4703187

Since this is Solaris specific, where the commands started are in /usr/bin, specifying the full path should work.

16

linc

Is_local code brokenness

*

This code was completely re-written, first to function at all, and secondly to handle mixed IPv6, and IPv4 cases

17

linc

Gethostbyname

*

Use of this re-worked, to avoid out of spec badness with _res.options. _res.options/gethostbyname are horrendous APIs to be using; posix.1.g'sgetaddrinfo et. al. should be used, however Solaris support appears uncertain

18

linc

sys-calls

*

Handle EINTR on close in several places

19

ORBit2

faked replies

*

The message id used to identify a reply is typically formed from a pointer on the stack, or an allocated chunk of memory - so as to ensure process uniqueness quickly. This means the message id is extremely predictable. It transpired that we would accept a  'reply' from a different connection to that that sent it. This was fixed by only accepting incoming replies on connections matching those the outgoing (validated) request came in on. It is regression tested in ORBit2/test/test-giop.c (test_spoofing).

20

ORBit2

orbhttp.c

*

A big one, lots of blocking socket code, implementing an un-used feature. Several 

environment variable overflows detected. Disabled, unless the ORBHTTPIORs options is turned on

21

ORBit2

Random access control

*

Local access to the ORB is controlled via a 128 bit hard random cookie, (much in the same way as a X's MIT-MAGIC cookie). The length of the pure random section of the key used to access the ORB was increased to 128bits. 

 The code was expanded to return an error if sufficient randomness (/dev/[u] random) is not available, and if the LocalOnly mode is enabled would fail with an assertion and message suggesting fetching the SUNWski package. 

 The 128bit key is only generated ~once per ORB for performance reasons, thus once authenticated different connections are trusted not to spoof access to other local objects. The lower grade of per object key generation will also marginally improve performance

22

ORBit2

Un-initialized marshaling

*

Any application that handles sensitive data must ensure they wipe any memory as they free it, however it is still possible for freed memory to contain 'interesting' information. This could be marshaled as the slack padding between types that needed large alignment onto the wire. 

This was fixed by wiping the relevant send buffer memory as it is allocated, and between uses for marshalling

23

ORBit2

Message size limiting

*

Expanded the per connection message size limit code to cover the fragmented case. Re-wrote the generic sequence de-marshal-er to exponentially re-allocate up sequences so we can do sane, fast bounds checking on input without blowing the heap.

24

Gnome-control-center Capplets ( Path dependency)

 
nautilus, gzip, tar and gnome-keyboard-properties  are started at different points using calls that have environment dependency. 

85570

- 

25

Gnome-control-center ( Path dependency)

execlp() call without absolute path

main.c : calling execlp with relative path.  This is trying to start "nautilus" with relative path. 

85565

-

26

Xscreensaver ( Path dependency )

The program xscreensaver-demo launches Netscape, xterm and xscreensaver without specifying full path.

**

-

27

cd-player applet ( Path dependency ) 

g_spawn_command_line_async is used in cdplayer.c to launch gnome-cd which creates a path dependency

**

-

28

Nautilus ( Path dependency )

 
The full path is not used in some system() and popen() calls when executing commands like gzip, tar, cd, bzip2, mpg123 and ogg123. 

**

-

29

Gnome-panel ( Path dependency )

 
environment dependency in gnome-panel when commands like "nautilus", "gnome-search-tool", "gnome-panel-screenshot" etc. are started.

**

-

30

Yelp ( Path dependency )

 
Environment variable dependency found in the following: 

Yelp uses g_spawn calls to execute gnome2-man2html, gnome2-info2html, manpath and yelp-db2html commands. 

scrollkeeper-config, scrollkeeper-get-contentlist and scrollkeeper-get-toc-from-docpath commands are also executed. 

**

- 

Component

Issue

1

Smproxy

In save.c: unique_filename(), the result of a getenv(HOME) is passed to an sprintf() without bound checking. The destination string is an array of size PATH_MAX (255 bytes). This has a possibility of a buffer overflow in the sprintf ( ) which can be avoided by using snprintf(). 

In smproxy.c: FinishSaveYourself ( ) where the destination string holding `hostname' information is declared as an 80 byte array. This can pose a problem in Solaris where the hostname returned can be as long as 256 bytes. This destination string needs to be redefined using a standard macro (NI_MAXHOST) and using snprintf(). 

(Bugzilla #87102)

2

Smproxy

In save.c:WriteProxyFile ( ), if HOME environment variable is not set, a temporary file is created in the current directory by mkstemp. If this directory turns out to be world writable, then there is a possibility of a malicious flooding of the directory with mkstemp() generated files.

(Bugzilla #87102)

3

Gnome_Control_Center

In libsounds/sound_properties.c: sound_properties_add_dir ( ), the `opendir ( )' call does not have a corresponding `closedir ( )'.

4

Gnome Control-center - theme-switcher

At the time of installing a theme tarball, no checks are present in the caplet to verify if the specified file is a valid theme tarball. It is possible to install any file as of today into the ~user/.theme/ directory 

A check needs to be added to prevent such an indiscriminate install.

5

Gnome_pty_helper

( non-solaris platform)

On linux, a possibility of allocating a root-owned slave pty is there if fchmod() fails in gnome-pty-helper.c:open_ptys() since fchmod() return value is not checked. 

6

Gnome-print-manager-remote

( non-solaris platform)

For non-Solaris platforms,

In HP-UX and OSF specific `list_local_jobs ( )' routines run "lpstat" using `g_spawn_sync ( )' depending on PATH. 

In AIX specific `list_local_jobs ()' - usage of `g_spawn_command_line_sync ( )' to run "LANG=C enq -LP%printer " which again has a PATH dependency. Additionally there's a typo error: g_spawn_comman_line_sync() - this will not compile on AIX. 

The typo in AIX needs to be corrected. And removing dependency on path in a SUID may be worth the effort, especially if this component will be ported to other platforms.

7

Gnome_session

The magic cookie generated by session-manager using `IceGenerateMagicCookie ( )' is not freed.

8

Gnome_session_properties

For some of the buttons like `Add' button in `Startup Programs', mnemonics are not provided.

9

Gnome_system_details

A right-click on the system-details tree area displays a pop-up menu.  In the menu only options like `Copy' and `Save as' are available. According to usability perspective, `Close' option should also be present.

10

gnome-system-log

Monitor options' and `Action options' GUIs have no instant apply support. 

When the latest log files are being viewed, and if the file gets updated, there is no 'refresh' button or any indication to tell that it is getting updated. 

On Solaris, the 'open' menu item does not by default give the listing of '/var/adm'.  Contents of"/opt/gnome-2.0/bin" are displayed. But on Linux, the current log directory gets opened correctly.  Seems like a Solaris bug. 

11

Gprocview

Usage of  2 successive popen ( )'calls. This happens in various functionalities, where information from executing a command needs to be displayed in a list. For example, the first popen() is done on pstack() to get the number of frames/threads and based on this, the list box with the appropriate number of elements is rendered. The second popen() call is make to get the data and populate the list box. This is inaccurate and expensive.

12

Libzvt

There is a fork / exec in `get_ptys ( )' to fork and exec gnome-pty-helper. Here `chdir ( )' calls are not used. Also the environment is not set explicitly. Though no security issues can be pointed out, it is better to have these calls.

13

Nautilus

In nautilus-file-utilities.c: `nautilus_unique_temporary_file_name ( )' mktemp() is used to generate a unique filename. A potential race condition exists in the time gap when this call returns the file name and the caller opens it. Currently there are no usages of the call. Hence it is better to modify the functionality of this routine to return a file descriptor got from making an mkstemp ( ) call. 

Bugzilla Id : 87128

14

Nautilus

1.When applying background properties, application crashes.

2.When trying to copy/paste multiple lines, only the first line gets pasted. 

3.Drag and drop not workingin `View as List' option.

15

Eel

In eel-debug-drawing.c, a file is created and opened in /tmp, using `mktemp', which is used subsequently in a `system ( )' call. It is better to use `mkstemp ( )' call to avoid a possible race condition.

16

yelp

The strcpy function in yelp-info.c is likely to cause a buffer overflow because, the system call readdir() can return a d_name <= MAXNAMLEN which is 255, whereas, the destination string to store it, titlebuf[] = 128. This would result in a buffer overflow. Another similar issue is in the g_snprintf call used in yelp_info.c, which is likely to result in a loss of data. Instead of hard coding array sizes to 128 it is advised to use #defines like MAXNAMLEN. 

(Bugzilla #87127)

16

Yelp

1.As yelp takes in the name of the file to open as an input message, the current usage message that is printed for `yelp -help' is not ok. There needs to be an indication that they do take in file names.

2.yelp-db2html takes in all input as filenames. Basic parsing to print usage if "-x" etc is entered is needed.

18

Wanda - Fish Applet

Irrespective of whether an invalid/non-existent application is specified, the applet displays a "you have not specified the program to run" message. A more appropriate error message could be displayed

Sl. No.

Bug Synopsis

Component

 Bug-Id 

Status

1

HTTP proxy password might get exposed if set through desktop preferences->network preferences capplet

Control-center network  - preferences caplet

85559

The solution is to prompt the user for the password and retain it for the session. Since multiple components code will have to be modified and a generic solution acceptable to the proposed, this will be fixed in the D2 extension phase.

 2

"orbit-<username>" in /tmp can create a security hole 

 gnome-session-general 
(gnome-login-check)

 84110

Fixed.

  3

Functionality of gpm-remote does not require the 's' bit to be set for the group and also gpm-remote should reside in the sbin directory.

Printman

   86328

Fixed.

4

cde menu icon cache needs to be moved to ~usr/.gnome

gnome-vfs

87267

Fixed.

5

Nautilus creates user -specific .Trash with 755 permissions.

Nautilus

46475

Fixed.

6

Directory .cddbslave getting created with wrong permissions.

Cddbslave2

87435

Fixed

7

Intermediate screenshot stored in /tmp with 644 

gnome-panel

87259

Fixed

8

Use of system() call to execute ?action" command.

Logview

87110

Fixed

9

possible DOS with smproxy's use of mkstemp 

sm-proxy

87102

Fixed

10

gprocview depends on PATH to execute commands.

gprocview

4703187
(bugtraq)

Fixed

11

Keeping track of the bugs in libgnome 

libgnome

87104

Fixed

12

Possibility of buffer overflow in
Yelp.

Yelp

87127

Fixed.

 13

gnome-session depends on PATH variable to start commands.

gnome-session

 85377

Fixed

14

gnome-xml bugs.

gnome-xml

85746

About 4 issues recorded. 3 fixed.

4^th issue : nanoftp in gnome-xml takes in user name and password through environment variables. FTP_PROXY - ftp_proxy_user - ftp_proxy_password

This is an issue similar to clear text password and will be fixed in extended D2 phase.

 15

Session-manager opens listening sockets in /tmp withrwxrwxrwx  permissions.

gnome-session

85375

The .ICE-unix is created by the libICE call. The permissions and location is not in the direct control of the gnome application.

This problem will occur in all cases where there?s usage of libICE.

A possible solution that was considered was of moving the socket to a secure directory. While this may work, there is still a small race.

Any fix to this will need to be done in libICE and not in the scope of the application.

Hence there will be no fix for this bug in Gnome.

 16

Gnome-login-check depends on PATH to execute "rm".

gnome-session

  85376

The solution is to use remove() call. Gnome-login-check has been removed hence there is no need for submitting a patch.

17

Dependency on PATH to execute nautilus and gnome-control-center                itself.

Control-center

85565

Wont Fix

18

GNOME capplet theme-switcher depends on ENV to execute  commands.

Control-center - theme-selector capplet

85570

Wont Fix

19

gnome-settings-daemon depends on PATH variable to start command.

Control-center - settings-daemon

 85576

Wont Fix

20

GNOME capplet gnome-keyboard-properties depends on ENV to execute commands

Control-center - keyboard

 85569

Wont Fix

 21

GNOME control center capplets depend on ENV.

Control-center - general

  85572

Wont Fix