Local privilege escalation Blueman

Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polkit-1 is disabled and for versions lower than 2.0.6, any local user can possibly exploit this. If Polkit-1 is enabled for version 2.0.6 and later, a possible attacker needs to be allowed to use the `org.blueman.dhcp.client` action. That is limited to users in the wheel group in the shipped rules file that do have the privileges anyway. On systems with ISC DHCP client (dhclient), attackers can pass arguments to `ip link` with the interface name that can e.g. be used to bring down an interface or add an arbitrary XDP/BPF program. On systems with dhcpcd and without ISC DHCP client, attackers can even run arbitrary scripts by passing `-c/path/to/script` as an interface name. Patches are included in 2.1.4 and master that change the DhcpClient D-Bus method(s) to accept BlueZ network object paths instead of network interface names. A backport to 2.0(.8) is also available. As a workaround, make sure that Polkit-1-support is enabled and limit privileges for the `org.blueman.dhcp.client` action to users that are able to run arbitrary commands as root anyway in /usr/share/polkit-1/rules.d/blueman.rules.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:L

输出中的特殊元素转义处理不恰当(注入)

Blueman 参数注入漏洞

Blueman是Blueman团队的一个适合在 GNOME 桌面环境使用的图形化蓝牙管理工具。主要功能有：发送文件、浏览设备上的文件、查看本地或远程设备的信息、配置本地设备、管理绑定、绑定服务等。 Blueman 2.1.4之前版本存在参数注入漏洞，该漏洞源于D-Bus接口DhcpClient方法容易存在参数注入漏洞。影响很大程度上取决于系统配置。如果禁用了polkit1，并且对于低于2.0.6的版本，任何本地用户都可以利用它。如果版本2.0.6或更高版本启用了Polkit-1，则需要允许可能的攻击者可利

N/A

N/A