Security Advisory 12-004 – Qt Project Security Advisory
Qt System V shared memory segments created with insecure permissions.
Vulnerability discovery and development:
Portcullis Security Testing Services.
Credit for Discovery:
Tim Brown and Mark Lowe – Portcullis Computer Security Ltd.
All known versions of Qt Framework for systems implementing System V shared memory; the vulnerability discovered was for version 4.8.x however 5.0.0 was also affected.
Qt applications such as those shipped with the KDE Software Compendium have been found to create System V shared memory segments with insecure permissions:
$ ipcs -a | grep 1474595 0x00000000 1474595 user 777 1024 2 dest $ ipcs -p | grep 1474595 1474595 user 6120 6155 $ ps -aef | grep 6120 user 6120 1 0 Nov28 ? 00:02:49 /usr/bin/plasma-desktop
Initially, it was believed that the vulnerable code was part of the KDE Software Compendium however by running KDE applications under a debugger as follows:
Breakpoint 2, shmget () at ../sysdeps/unix/syscall-template.S:82 82 in ../sysdeps/unix/syscall-template.S (gdb) bt bt #0 shmget () at ../sysdeps/unix/syscall-template.S:82 #1 0x00007ffff613ac41 in ?? () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4 #2 0x00007ffff6252b9f in QRasterWindowSurface::prepareBuffer(QImage::Format, QWidget*) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4 #3 0x00007ffff6252e07 in QRasterWindowSurface::setGeometry(QRect const&) () from /usr/lib/x86_64-linux-gnu/libQtGui.so.4
It was possible to determine that the culprit was in fact Qt. Specifically, whilst it is obscured in this backtrace, the code path includes calls to QNativeImage(width, height, format, false, widget) which make use of the following code:
xshminfo.shmid = shmget(IPC_PRIVATE, xshmimg->bytes_per_line * xshmimg->height, IPC_CREAT | 0777);
Here, shmget() is called to implement Qt’s X11 protocol support for a shared buffer between the X server and the client. This method of IPC between X clients and servers allows for increased performance when rendering large pixmaps. As you can see, in this case, shmget() is called with permissions of 0777 which effectively maps to “rwx” in each of the user, group and other permission contexts. Since the X server is typically running as root, it is believed there should be no need for client applications which run with less privileges to create shared memory with these weakened permissions.
Whilst performing root cause analysis of the issue above, it was determined that the QSharedMemory and QSystemSemaphore classes also created shared memory segments (using shmget()) and semaphores (using semget()) with insecure permissions. An example of the affected code where QSharedMemory can be seen below:
s = new QSharedMemory("test"); s->attach(); s->create(65535, QSharedMemory::ReadOnly);
Executing this code was found to result in the following shared memory segment being created:
$ ipcs -a ... 0x51001223 3047473 user 666 65535 0 ...
Insecure permissions can be used by an attacker to tamper with previously created System V shared memory segments or to read their contents. In the context of the Qt Framework, it was determined that weak permissions on the created segments may allow for the disclosure or corruption of pixmaps (GUI artifacts) being transmitted to the X server. Whilst in principal this could allow more interesting memory corruption attacks to be performed, no such attacks have yet been found within the context of the Qt Framework.
With respect to the QSharedMemory classes, individual applications may be vulnerable to memory disclosure or corruption attacks dependent on the context in which the created instances of these classes are used. Likewise, QSystemSemaphore instance’s states may be manipulated to affect the availability of the calling application, again depending on the context of use.
The proof of concept exploit code is available.
29/11/2012 – vendor informed
03/12/2012 – issue disclosed to the Qt Security Team
20/12/2012 – patch created
15-25/01/2013 – patch applied to codelines
03/01/2013 – CVE-2013-0254 assigned by Red Hat Security Response Team
04/02/2013 – advisory released