Deepin Linux lastore-daemon D-Bus Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in the lastore-daemon package manager daemon used in Deepin Linux. This vulnerability is present in lastore-daemon versions 0.9.53-1 (Deepin 15.5) and 0.9.66-1 (Deepin 15.7). The issue arises because the D-Bus configuration allows any user in the sudo group to invoke the InstallPackage method without password authentication. By default, the first user created on Deepin is in the sudo group. An attacker with shell access can exploit this by crafting a .deb package with a malicious post-install script and using dbus-send to install it via lastore-daemon, leading to arbitrary code execution as root.

Impact

Exploitation of this vulnerability allows for local privilege escalation, with unauthorized users gaining root access on the system.

Reproduction

To reproduce this vulnerability, a user must have shell access and be a member of the sudo group. Once these conditions are met, the user can create a .deb package containing a malicious post-install script. After crafting the package, the user can use the dbus-send command to invoke the InstallPackage method of the lastore-daemon D-Bus interface, effectively installing the package and executing the malicious script as root.