CVE-2017-11171: gnome-session: Bad reference counting in the context of accept_ice_connection() in gsm-xsmp-server.c

[Matthias Gerstner <mgerstner () suse de>]

Affected package: gnome-session
Affected versions: < 2.29.92

Bad reference counting in the context of accept_ice_connection() in
gsm-xsmp-server.c in old versions of gnome-session up until version
2.29.92 allows a local attacker to establish ICE connections to
gnome-session with invalid authentication data (an invalid magic
cookie). Each failed authentication attempt will leak a file descriptor
in gnome-session.

When the maximum number of file descriptors is exhausted in the
gnome-session process, it will enter an infinite loop trying to
communicate without success, consuming 100% of the CPU. The graphical
session associated with the gnome-session process will stop working
correctly, because communication with gnome-session is no longer
possible.

This was fixed with the following commit:

https://github.com/GNOME/gnome-session/commit/b0dc999e0b45355314616321dbb6cb71e729fc9d

The problem seems to be that upon connection establishment
gms_store_add() is called, but not gsm_store_remove(), even if the
authentication of the ICE connection fails.

You can find a proof of concept program attached.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11171
https://bugzilla.suse.com/show_bug.cgi?id=1048274

Regards

Matthias

-- 
Matthias Gerstner <matthias.gerstner () suse de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290

SUSE Linux GmbH 
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)

Attachment: ice_dos.c
Description:

Attachment: signature.asc
Description: Digital signature