Full Report
Ubuntu accountsservice is a package that allows for the querying and manipulating of user account information. This is done via D-Bus interfaces, which is an IPC mechanism used by Linux desktops. After receiving a D-Bus method call, the D-Bus server normally sends back either a METHOD_RETURN for a proper call or an ERROR message to the client. Since the D-Bus API is expected to follow the standard for the libraries that utilize it, it is super important that this is correct. This is not a return value though; it appears to be set in some internal structure. What happens if the specification isn't followed? Madness! In the case of user_change_language_authorized_cb, both the error handler and the proper handler were being called. The error handler was called if the $HOME is not mounted and the main path always runs. Since both of the calls were decrementing the reference counter, this creates the scenario for a use after free. By forcing the $HOME check to fail by deleting the home directory and decrementing the reference counter, another call could access this to cause memory corruption shenanigans. The command below would cause this to crash: dbus-send --system --print-reply \ --dest=org.freedesktop.Accounts \ /org/freedesktop/Accounts/User`id \ -u` org.freedesktop.Accounts.User.SetLanguage string:'**' On 23.04 this causes a SIGSEV crash but 22.04 doesn't crash. According to the author, this is difference in the memory allocator for Glib. Additionally, exploitation is said to be difficult to not impossible.
Analysis Summary
# Vulnerability: Use-After-Free in Ubuntu accountsservice (GHSL-2023-139)
## CVE Details
- **CVE ID:** CVE-2023-3297
- **CVSS Score:** 7.8 (High) - *Note: CVSS estimated based on local privilege escalation potential.*
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Ubuntu `accountsservice` package (specifically the `accounts-daemon`).
- **Versions:** 22.08.8-1ubuntu7 and likely earlier. Tested on Ubuntu 22.04 LTS and 23.04.
- **Configurations:** Systems running the D-Bus interface for account management where the local user can trigger error conditions in user management calls.
## Vulnerability Description
The vulnerability exists in the `user_change_language_authorized_cb` function and other similar handlers in `user.c`. In the D-Bus protocol, a server must respond with either a `METHOD_RETURN` or an `ERROR`, but never both.
In the vulnerable code, if a specific condition fails (such as the `$HOME` directory being unavailable or invalid characters being passed), the `throw_error` function is called to send an error message to the client. However, the code continues to execute and proceeds to call a `complete_set` function (e.g., `accounts_user_complete_set_language`). Both of these functions decrement the reference counter for the `GDBusMethodInvocation` context. This double-decrement causes the object to be freed prematurely by the first call, resulting in a **Use-After-Free (UAF)** when the second call attempts to access the same memory.
## Exploitation
- **Status:** PoC available (Crash only). No known active exploitation in the wild.
- **Complexity:** High (Exploitation is described as difficult to near-impossible due to the nature of the memory corruption).
- **Attack Vector:** Local (Requires an unprivileged local account to send D-Bus messages).
### Proof of Concept (PoC)
The following command triggers a crash on Ubuntu 23.04 by passing invalid characters to the `SetLanguage` method:
bash
dbus-send --system --print-reply --dest=org.freedesktop.Accounts \
/org/freedesktop/Accounts/User`id -u` \
org.freedesktop.Accounts.User.SetLanguage string:'**'
## Impact
- **Confidentiality:** Low (Potential for memory leakage).
- **Integrity:** High (Potential for memory corruption leading to code execution).
- **Availability:** High (Can reliably trigger a `SIGSEGV` crash of the `accounts-daemon`).
- **Overall:** Success could allow a local unprivileged attacker to gain **root privileges**.
## Remediation
### Patches
Ubuntu has released security updates to address this in the following versions (or later):
- **Ubuntu 23.04:** `accountsservice` 22.08.8-1ubuntu7.1
- **Ubuntu 22.04 LTS:** `accountsservice` 22.07.5-2ubuntu1.4
- **Ubuntu 20.04 LTS:** `accountsservice` 0.6.55-0ubuntu12.13
### Workarounds
No specific non-patch workarounds are provided; however, restricting access to the D-Bus interface can mitigate the risk, though this may break desktop functionality.
## Detection
- **Indicators of Compromise:** Unusual/repeated crashes of `accounts-daemon` (logged in `systmd` journals or `/var/log/syslog`).
- **Detection Methods:** Monitor for `SIGSEGV` in `accounts-daemon`. Check for large volumes of `SetLanguage` or other account-related D-Bus traffic from unprivileged users.
## References
- **Vendor Advisory:** [https://ubuntu.com/security/CVE-2023-3297](https://ubuntu.com/security/CVE-2023-3297)
- **GitHub Security Lab:** [https://securitylab.github.com/advisories/GHSL-2023-139_accountsservice/](https://securitylab.github.com/advisories/GHSL-2023-139_accountsservice/)
- **Bug Tracker:** [https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182](https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182)