The goal

Check for arbitrary code execution vulnerabilities in the GDM greeter (gnome-shell --mode=gdm).

The goal is to make sure that an attacker that has physical access to a locked machine (or one where no user is logged in yet) with GNOME cannot cause arbitrary code to be executed.

This document should help guide future reviews.

The plan

Check what user actions (events) can cause code to execute, and that this code is contained in gnome-shell, GDM and other GNOME processes and cannot "escape" from there.

Code that handles user input needs to be checked for vulnerabilities due to stack or heap overflow. This includes keyboard input but also files read from the filesystem.

Restrictions on the GDM mode

GNOME Shell can be ran in several modes, each with different capabilities, but all inheriting from the "restrictive" one, which as its name implies has all the configurable mode capabilities disabled.

These are the capabilities that the GDM mode has disabled and are relevant to this document:

  • No overview
  • No events in the calendar
  • No System Settings use
  • No extensions enabled
  • No run dialog on Alt+F2
  • No workspaces
  • No windows

Also, these components are disabled (the only component that is enabled is polkitAgent):

  • automountManager.js
  • networkAgent.js
  • recorder.js
  • autorunManager.js
  • keyring.js
  • telepathyClient.js

Additionally, GDM processes (including gnome-shell --mode=gdm) use a special dconf profile that sets several lockdown keys, to further limit the attack surface:

  • /org/gnome/desktop/lockdown/disable-application-handlers
  • /org/gnome/desktop/lockdown/disable-command-line
  • /org/gnome/desktop/lockdown/disable-lock-screen
  • /org/gnome/desktop/lockdown/disable-log-out
  • /org/gnome/desktop/lockdown/disable-printing
  • /org/gnome/desktop/lockdown/disable-print-setup
  • /org/gnome/desktop/lockdown/disable-save-to-disk
  • /org/gnome/desktop/lockdown/disable-user-switching

These are the processes ran by GDM 3.8.x:

gdm
  |-gdm-simple-slav --display-id /org/gnome/DisplayManager/Displays/_0
  |   |-Xorg :0 -background none -verbose -auth /var/run/gdm/auth-for-gdm-Q0ufBE/database -seat seat0 -nolisten tcp vt7
  |   |-gdm-session-wor
  |   |   |-gnome-session --autostart /usr/share/gdm/greeter/autostart
  |   |   |   |-gnome-settings-
  |   |   |   |-gnome-shell --mode=gdm

Events

Startup

gdm-simple-greeter will exec gnome-session with $(datadir)/gdm/greeter/autostart as the autostart directory, which should be writeable only by root.

gnome-settings-daemon will load Gtk+ extensions defined in .desktop files in $(libdir)/gnome-settings-daemon-3.0/gtk-modules/, which also should be writeable only by root.

Calendar

User can click on the date/clock label in the top bar, which causes the calendar browser to be shown. The user can then page thorough months, but nothing else besides that.

Accessibility

User can click on the accessibility icon in the right side of the top bar, which displays a menu with the different accessibility settings that can be enabled.

The settings are:

  • High contrast: changes the GTK+, icon and window manager theme
  • Zoom: enables the magnifier
  • Large text: changes setting for text scaling factor
  • Screen reader: changes setting that will make Orca enable itself
  • Screen keyboard: enables Caribou's OSK, will open when a ClutterText becomes focused

  • Visual alerts: enables visual-bell setting (used by Mutter)
  • Sticky keys: g-s-d enables sticky keys in Accessx
  • Slow keys: g-s-d enables slow keys in Accessx
  • Bounce keys: g-s-d enables bounce keys in Accessx
  • Mouse keys: g-s-d enables mouse keys in Accessx

Volume

User can only display the volume bar and move it left and right.

Power

User can only display a menu with three options:

  • Suspend
  • Restart
  • Power off

By restarting the machine, an attacker could boot into a different OS that allows complete access to the local disks, but this attack needs to be prevented at the firmware level and/or by encrypting the media, there's nothing relevant that can be done from GNOME about it.

Also, note that the machine can always be restarted by removing all power.

User list

User can click on an account, or the "Not listed?" button, which brings to the next section.

User and password fields

A single text field will be presented if PAM requests any textual data. The entry is implemented with ClutterText, which collects individual characters from X keyboard events. No potential heap or stack overflows were detected from manual source inspection.

Plug-in hardware

The autorun component is disabled in GDM mode, so plugging-in devices with a autorun.sh file won't cause any additional code to be executed.

Conclusion

The code that an attacker could execute while in the greeter has been inspected, and no arbitrary code execution vulnerability has been found.

TomeuVizoso/GreeterSecurity (last edited 2013-05-07 15:08:33 by TomeuVizoso)