PackageKit Improper Authorization Vulnerability in SetHints Method Allows Unauthorized File Probing

A vulnerability in PackageKit versions through 1.3.5 allows unprivileged users to probe the existence of any file on the system. This issue arises in the API component, specifically within the g_file_test function of src/pk-transaction.c. The vulnerability is exploited by manipulating the frontend-socket argument, leading to improper authorization. The issue can be executed remotely.

Impact

Exploitation of this vulnerability allows for unauthorized file probing, where an attacker can determine the existence of files on the system, potentially leading to further exploitation.

Reproduction

To reproduce this vulnerability, first create a root-privileged directory and place a text file in it. Then, create symbolic links in a user-writable directory that point to the file in the root-privileged directory. After setting up the symlinks, a D-Bus method call can be made to the SetHints method, using the symlink as the frontend-socket parameter. The response will indicate whether the target file exists, demonstrating the unauthorized file probing capability.

Remediation

This vulnerability can be addressed by modifying the SetHints method to disallow symbolic links, ensuring that the frontend-socket parameter only accepts direct paths to files or sockets.