Deepin Dde-Api-Proxy Privilege Escalation Vulnerability

A vulnerability in Deepin dde-api-proxy versions through 1.0.19 allows unprivileged users to access D-Bus services as root. The proxy, which runs as root, forwards messages from local users to legacy D-Bus methods in services that are unaware of the proxying. This miscommunication can lead to unauthorized access to methods that should be restricted to root users. In cases involving Polkit, this could result in the caller being treated as an administrator, further escalating privileges.

Impact

Exploitation of this vulnerability allows local users to gain root privileges, either directly or through group memberships, and potentially access other privileged operations via D-Bus.

Reproduction

The vulnerability can be reproduced by using the 'gdbus' command-line tool to call D-Bus methods through the dde-api-proxy. For example, invoking a method on the 'com.deepin.daemon.Grub2' service via the proxy bypasses normal authentication checks, as the service believes the request is coming from a root user. Similarly, using the 'com.deepin.daemon.Accounts' service through the proxy allows unprivileged users to perform actions that should require admin rights, such as adding users to groups.

Remediation

Users can remove the 'dde-api-proxy' package from their system to address this vulnerability.