Vulnerabilities > CVE-2012-2737 - Race Condition vulnerability in RAY Stode Accountsservice
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The user_change_icon_file_authorized_cb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-060.NASL description Updated accountsservice packages fix security vulnerability : Florian Weimer discovered that AccountsService incorrectly handled privileges when copying certain files to the system cache directory. A local attacker could exploit this issue to read arbitrary files, bypassing intended permissions (CVE-2012-2737). last seen 2020-06-01 modified 2020-06-02 plugin id 66074 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66074 title Mandriva Linux Security Advisory : accountsservice (MDVSA-2013:060) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2013:060. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(66074); script_version("1.5"); script_cvs_date("Date: 2019/08/02 13:32:55"); script_cve_id("CVE-2012-2737"); script_bugtraq_id(54223); script_xref(name:"MDVSA", value:"2013:060"); script_xref(name:"MGASA", value:"2012-0153"); script_name(english:"Mandriva Linux Security Advisory : accountsservice (MDVSA-2013:060)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated accountsservice packages fix security vulnerability : Florian Weimer discovered that AccountsService incorrectly handled privileges when copying certain files to the system cache directory. A local attacker could exploit this issue to read arbitrary files, bypassing intended permissions (CVE-2012-2737)." ); script_set_attribute( attribute:"solution", value: "Update the affected accountsservice, lib64accountsservice-devel and / or lib64accountsservice0 packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:accountsservice"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64accountsservice-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64accountsservice0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"accountsservice-0.6.14-3.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64accountsservice-devel-0.6.14-3.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64accountsservice0-0.6.14-3.1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2012-10120.NASL description This updates accountsservice to correct a local file disclosure security flaw. CVE-2012-2737 This update also corrects and issue where spurios users show up in the login screen user list. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-07-03 plugin id 59826 published 2012-07-03 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59826 title Fedora 17 : accountsservice-0.6.21-2.fc17 (2012-10120) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-10120. # include("compat.inc"); if (description) { script_id(59826); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-2737"); script_bugtraq_id(54223); script_xref(name:"FEDORA", value:"2012-10120"); script_name(english:"Fedora 17 : accountsservice-0.6.21-2.fc17 (2012-10120)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This updates accountsservice to correct a local file disclosure security flaw. CVE-2012-2737 This update also corrects and issue where spurios users show up in the login screen user list. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=836284" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=836595" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-July/083359.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3cfe2197" ); script_set_attribute( attribute:"solution", value:"Update the affected accountsservice package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:accountsservice"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:17"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/07/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^17([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 17.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC17", reference:"accountsservice-0.6.21-2.fc17")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "accountsservice"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-370.NASL description This update of accountservice fixed a flaw in user_change_icon_file_authorized_cb() that could be exploited by local attackers to read arbitrary files. last seen 2020-06-05 modified 2014-06-13 plugin id 74672 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74672 title openSUSE Security Update : accountsservice (openSUSE-SU-2012:0845-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2012-370. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(74672); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2012-2737"); script_name(english:"openSUSE Security Update : accountsservice (openSUSE-SU-2012:0845-1)"); script_summary(english:"Check for the openSUSE-2012-370 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update of accountservice fixed a flaw in user_change_icon_file_authorized_cb() that could be exploited by local attackers to read arbitrary files." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=768807" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2012-07/msg00016.html" ); script_set_attribute( attribute:"solution", value:"Update the affected accountsservice packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:accountsservice"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:accountsservice-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:accountsservice-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:accountsservice-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:accountsservice-lang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libaccountsservice0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libaccountsservice0-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.1"); script_set_attribute(attribute:"patch_publication_date", value:"2012/07/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE12\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE12.1", reference:"accountsservice-0.6.15-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"accountsservice-debuginfo-0.6.15-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"accountsservice-debugsource-0.6.15-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"accountsservice-devel-0.6.15-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"accountsservice-lang-0.6.15-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"libaccountsservice0-0.6.15-2.4.1") ) flag++; if ( rpm_check(release:"SUSE12.1", reference:"libaccountsservice0-debuginfo-0.6.15-2.4.1") ) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "accountsservice"); }NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1485-1.NASL description Florian Weimer discovered that AccountsService incorrectly handled privileges when copying certain files to the system cache directory. A local attacker could exploit this issue to read arbitrary files, bypassing intended permissions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 59784 published 2012-06-29 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59784 title Ubuntu 11.10 / 12.04 LTS : accountsservice vulnerability (USN-1485-1)
References
- http://cgit.freedesktop.org/accountsservice/commit/?id=26213aa0e0d8dca5f36cc23f6942525224cbe9f5
- http://cgit.freedesktop.org/accountsservice/commit/?id=27f3d93a82fde4f6c7ab54f3f008af04f93f9c69
- http://cgit.freedesktop.org/accountsservice/commit/?id=4c5b12e363410e490e776e4b4a86dcce157a543d
- http://cgit.freedesktop.org/accountsservice/commit/?id=bd51aa4cdac380f55d607f4ffdf2ab3c00d08721
- http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083359.html
- http://osvdb.org/83398
- http://secunia.com/advisories/49695
- http://secunia.com/advisories/49759
- http://www.openwall.com/lists/oss-security/2012/06/28/9
- http://www.securityfocus.com/bid/54223
- http://www.ubuntu.com/usn/USN-1485-1
- https://bugzilla.redhat.com/show_bug.cgi?id=832532
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76648
- https://hermes.opensuse.org/messages/15100967