The goal
Check for arbitrary code execution vulnerabilities in the GDM greeter (gnome-shell --mode=gdm).
The goal is to make sure that an attacker that has physical access to a locked machine (or one where no user is logged in yet) with GNOME cannot cause arbitrary code to be executed.
This document should help guide future reviews.
The plan
Check what user actions (events) can cause code to execute, and that this code is contained in gnome-shell, GDM and other GNOME processes and cannot "escape" from there.
Code that handles user input needs to be checked for vulnerabilities due to stack or heap overflow. This includes keyboard input but also files read from the filesystem.
Restrictions on the GDM mode
GNOME Shell can be ran in several modes, each with different capabilities, but all inheriting from the "restrictive" one, which as its name implies has all the configurable mode capabilities disabled.
These are the capabilities that the GDM mode has disabled and are relevant to this document:
- No overview
- No events in the calendar
- No System Settings use
- No extensions enabled
- No run dialog on Alt+F2
- No workspaces
- No windows
Also, these components are disabled (the only component that is enabled is polkitAgent):
- automountManager.js
- networkAgent.js
- recorder.js
- autorunManager.js
- keyring.js
- telepathyClient.js
Additionally, GDM processes (including gnome-shell --mode=gdm) use a special dconf profile that sets several lockdown keys, to further limit the attack surface:
- /org/gnome/desktop/lockdown/disable-application-handlers
- /org/gnome/desktop/lockdown/disable-command-line
- /org/gnome/desktop/lockdown/disable-lock-screen
- /org/gnome/desktop/lockdown/disable-log-out
- /org/gnome/desktop/lockdown/disable-printing
- /org/gnome/desktop/lockdown/disable-print-setup
- /org/gnome/desktop/lockdown/disable-save-to-disk
- /org/gnome/desktop/lockdown/disable-user-switching
These are the processes ran by GDM 3.8.x:
gdm |-gdm-simple-slav --display-id /org/gnome/DisplayManager/Displays/_0 | |-Xorg :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-Q0ufBE/database -seat seat0 -nolisten tcp vt7 | |-gdm-session-wor | | |-gnome-session --autostart /usr/share/gdm/greeter/autostart | | | |-gnome-settings- | | | |-gnome-shell --mode=gdm
Events
Startup
gdm-simple-greeter will exec gnome-session with $(datadir)/gdm/greeter/autostart as the autostart directory, which should be writeable only by root.
gnome-settings-daemon will load Gtk+ extensions defined in .desktop files in $(libdir)/gnome-settings-daemon-3.0/gtk-modules/, which also should be writeable only by root.
Calendar
User can click on the date/clock label in the top bar, which causes the calendar browser to be shown. The user can then page thorough months, but nothing else besides that.
Accessibility
User can click on the accessibility icon in the right side of the top bar, which displays a menu with the different accessibility settings that can be enabled.
The settings are:
- High contrast: changes the GTK+, icon and window manager theme
- Zoom: enables the magnifier
- Large text: changes setting for text scaling factor
- Screen reader: changes setting that will make Orca enable itself
Screen keyboard: enables Caribou's OSK, will open when a ClutterText becomes focused
- Visual alerts: enables visual-bell setting (used by Mutter)
- Sticky keys: g-s-d enables sticky keys in Accessx
- Slow keys: g-s-d enables slow keys in Accessx
- Bounce keys: g-s-d enables bounce keys in Accessx
- Mouse keys: g-s-d enables mouse keys in Accessx
Volume
User can only display the volume bar and move it left and right.
Power
User can only display a menu with three options:
- Suspend
- Restart
- Power off
By restarting the machine, an attacker could boot into a different OS that allows complete access to the local disks, but this attack needs to be prevented at the firmware level and/or by encrypting the media, there's nothing relevant that can be done from GNOME about it.
Also, note that the machine can always be restarted by removing all power.
User list
User can click on an account, or the "Not listed?" button, which brings to the next section.
User and password fields
A single text field will be presented if PAM requests any textual data. The entry is implemented with ClutterText, which collects individual characters from X keyboard events. No potential heap or stack overflows were detected from manual source inspection.
Plug-in hardware
The autorun component is disabled in GDM mode, so plugging-in devices with a autorun.sh file won't cause any additional code to be executed.
Conclusion
The code that an attacker could execute while in the greeter has been inspected, and no arbitrary code execution vulnerability has been found.